One session presented divergent hardware-invariant browser fingerprints (re-randomising anti-detect browser)
br.fingerprint_unstable_within_session · convicts
What it catches
Within-session BROWSER-fingerprint coherence — the browser-layer completion of the within-session invariant-rotation axis (net.ja4_unstable_within_session = TLS engine, net.ip_rotation_within_session = network origin, net.ua_rotation_within_session = UA string; this = the browser fingerprint). The DEFINING feature of an anti-detect browser (Camoufox, and the GoLogin/Multilogin profile-randomisers) is per-LAUNCH fingerprint randomisation: a fresh CPU-core count, GPU/WebGL renderer, OS profile etc. on every start. A scraper that restarts the browser mid-crawl while REUSING one site cookie (ks_sid) therefore presents DIVERGENT hardware-invariant fingerprints under ONE session — a single client whose CPU/GPU/OS 'changed', which no real browser does without a new process (= a new session). The collector posts the browser fingerprint per page load; the detector accumulates per-field seen-sets over the pre-collapse browser history in ingest (fp_seen, surviving the latest-per-kind merge collapse like observed_ip_seen) and derives a sticky browser.fp_unstable when ANY tracked field shows >=2 distinct values. Tracked fields (_FP_INVARIANT_FIELDS) are hardware/OS-bound and cannot change without a new browser process: hardware_concurrency, webgl_renderer, webgl_vendor, nav_platform_os. screen_resolution/color_depth are deliberately EXCLUDED — a real user can resize a window or move it to another monitor mid-session, so those are not FP-safe within-session invariants. FP-safe by construction: no real browser changes its CPU/GPU/OS mid-session, and browserforge calibration samples ONE fingerprint per session (one value per field), so promotion cannot raise its legit-browser flag rate (same class as the JA4/IP/UA rotation rules — calibration carries no within-session-divergence axis). GROUNDED LIVE 2026-06-20: the camoufox KS_FPROTATE evader ran two Camoufox launches (hardwareConcurrency pinned 4 then 16 — the deterministic stand-in for Camoufox's natural per-launch randomisation of that field) sharing one ks_sid; the detector accumulated 2 distinct hardware_concurrency under one session, derived fp_unstable, and tripped this rule (label bot); a single-launch Camoufox (one fingerprint) and every real-browser capture do NOT fire it — zero FP. Residual caveat: a real user genuinely could not produce this; the only theoretical confound is a browser hot-swapping a GPU (eGPU hot-plug) which would also disturb webgl across the session, a vanishingly rare case the conservative hardware-invariant field set tolerates. Complements the network triad: this catches the re-randomising-browser-reusing-a-cookie pattern that keeps its NETWORK identity (one IP/JA4/UA) stable, which the network rotation rules miss.
Signals it reads
browser.fp_unstable
How it fires
present
Evaders it caught 1
Bypassed by 10
Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.