26

I know we have some extra advantages in using the cookies over IP address, but my question is Why can't the container just remember the IP address of the client in identifying the client when he visit his site again? Is it possible for the container to remember the client with the help of IP address?

Robert Harvey
  • 198,589
  • 55
  • 464
  • 673
JAVA
  • 1,220
  • 3
  • 15
  • 17
  • 47
    IP addresses aren't unique. What happens when two people are behind the same router? – Doval Aug 14 '14 at 16:52
  • 7
    What happens when one person is using Tor? –  Aug 14 '14 at 16:54
  • 12
    And people's IP addresses might change frequently (home broadband). – GrandmasterB Aug 14 '14 at 16:54
  • 6
    Proxies show up as 1 IP address, regardless of how many people are behind them, for example everyone at a company. – Jeff-Inventor ChromeOS Aug 14 '14 at 18:24
  • 2
    My IP changes quite a few times while accessing applications on my mobile device as I move about town hitting different wifi spots. – stephenbayer Aug 15 '14 at 16:51
  • It's nice to know that even when IPv6 rolls out proper this problem will still not be solved thanks to privacy extensions changing your address over time. – Lars Viklund Aug 17 '14 at 15:42
  • 4
    @Jeff-InventorChromeOS And vice versa, too: some ISPs have clusters of proxy servers such that a single user's requests can appear to come from multiple IP addresses. Last time I checked, AOL did this, for instance. – Jules Aug 17 '14 at 20:46

5 Answers5

83

A client is identified by a cookie as well as the IP address. However, the IP address cannot be used exclusively:

  • What if two clients are located behind the same NAT firewall or proxy? They will have the same external IP address to the server.
  • What if a user has two different browsers open on the same machine, and wants two separate sessions (maybe for testing?)
  • A user may have a dynamic IP address which conceivably could change during a session.
  • An attacker may be able to spoof an IP address and take over a session if it relied on IP address alone.

This means an IP address does not uniquely identify a client in all cases.

  • Another problem is that the client may have control over the IP address they are using so an attacker may be able to impersonate someone else. – jhulst Aug 14 '14 at 17:14
  • 19
    Using an IP address at all to identify a client is a huge bug. My IP address probably changes several times a minutes while walking down the street accessing a site from my phone. – R.. GitHub STOP HELPING ICE Aug 14 '14 at 22:25
  • and using ip addresses is going to make for angry users as they now can't edit their submissions they made from their laptop while in a hotel once they get home and are on a different network. – jwenting Aug 15 '14 at 06:38
  • 5
    @R.. I am sorry, but this is blatantly wrong. Your radio cell has nothing to do with your IP address, the IP layer is above cell communication (using the physical layer) in the OSI model. Still, using IP address to identifying clients is still wrong, but not for this reason. – dirkk Aug 15 '14 at 08:57
  • 11
    @dirkk If he's on WiFi and connecting to different, independent, networks with their on public IPs, that can certainly happen. A mobile network *could* also decide to provide different IP addresses when you change cells. If I plug (layer1) my laptop into a different network, that could certainly change my IP (layer3). – Bob Aug 15 '14 at 10:37
  • 8
    I am no expert on how wireless telcos assign IP addresses, but I can speak to the wifi: if I were walking down a busy street _and_ I had my wireless device configured to connect to any and all wifi network it could, I would fully expect its wifi IP address to change frequently. –  Aug 15 '14 at 11:21
  • @Bob Obviously, when connecting to different WiFis you will get assigned different IPs, but I don't think anyone was talking about WiFi (because who has access to severals WiFis when wlaking down the street?). And of course they _could_, but it is neither done in practice nor is it feasible. And theory makes no sense here; your ISP could also decide to give you a new IP every 5 minutes, but obviously they won't. – dirkk Aug 15 '14 at 11:26
  • And to be clear: My argument here is not that it would be valid to use the IP address as means of identification. The answer and the comment are absolutely right about that. I'd just like to correct the statement (so that readers don't learn false information), so no that anyone thinks your IP address will change during cell handover. It won't. – dirkk Aug 15 '14 at 11:29
  • 2
    @dirkk If go downtown and walk around an area with tons of bars and restaurants, I most certainly _will_ have access to several WiFi networks in a small amount of time. –  Aug 15 '14 at 11:30
  • @Snowman Still, I don't think this is what was meant, so any discussion about it is rather pointless. Still, I'd like to point out that if this is the case it seems like you automatically connect to any open WiFi around, which seems hazardous from a security point of view. – dirkk Aug 15 '14 at 11:36
  • @dirkk I agree it is a bad idea, I was addressing your statement "(because who has access to severals WiFis when wlaking down the street?)" –  Aug 15 '14 at 11:37
  • 7
    @dirkk: Please don't accuse me of being wrong about something you have no idea about. As Bob suspected, I **was** talking about wifi. I have access to 8+ cafes and other business access points, plus (lower-quality) city-provided wifi access points along the street, and my phone regularly jumps between them while walking. – R.. GitHub STOP HELPING ICE Aug 15 '14 at 14:52
  • @R.. Even without wifi, your mobile devices IP address can change multiple times in a minute. Some networks have addresses you only get for a single session or number of seconds. Unless you have a private APN with static IP addresses of course... – DavidG Aug 15 '14 at 16:16
  • 1
    Even without wifi, cell roaming can and most likely will change your IP address, otherwise the broadcast domain would have to be huge. – GnP Aug 15 '14 at 18:32
  • 1
    @dirkk My mobile IP changes all the time as I move around. Thanks to the way Sprint has rolled out their network, I get different sets of addresses on their LTE gear than their normal CDMA stuff. It's truly frustrating and doesn't make a whole lot of sense, but it happens. – Brad Aug 15 '14 at 19:24
18

Sometimes you can use IP address.

If you're on a LAN or are otherwise dealing exclusively with users that have IP's statically distributed to single clients, using that address is perfectly fine -- sometimes preferable and necessary.

But, usually you can't.

If you're running a public site, most of the IP addresses that hit your server aren't static or dedicated. Most of them represent multiple clients: Your desktop, laptop, and cellphone all go out over the same IP address when you're on your home network. And that IP can change -- even mid-session.

svidgen
  • 13,414
  • 2
  • 34
  • 60
  • 2
    Even on a Lan you can't. If I open a site in Firefox and Internet Explorer I fully expect to have two different sessions. – Pieter B Dec 15 '15 at 09:05
  • @PieterB I didn't understand your point of the different session.can you please explain it? – JAVA Dec 20 '15 at 17:30
  • 1
    @java when I log into my banks website with Firefox, I do no expect to be logged in with chrome. Both browsers work independently with their own sessions. – Pieter B Dec 20 '15 at 19:25
  • 1
    @PieterB It still just depends on the requirements. If the requirements state that every "session" should span "all web clients on a local device," IP address is probably what you want. – svidgen Oct 07 '16 at 15:56
10

Three more reasons to add:

  1. Multiuser workstations and terminal servers exist. Many users could be running completely independent browser processes in separate sessions.
  2. IP addresses aren't persistent. It could be reassigned when a DHCP lease expires.
  3. The application should support roaming. For example, a user on a phone might drop out of WiFi range and get handed off to a 3G connection. The IP address would change, but it would be nice to let the web application keep working.
200_success
  • 1,568
  • 11
  • 20
2

Using IP address as identifier is generally not recommended, as it is not what IP address is meant for - functionally it is a plain address for routing from a to b, and it tells nothing what is before a or after b.

In example, same IP address may be shared by a number of natted devices, most common cases being

a) a provider dynamically assigning a pool of addresses to its customers, that is quite common as buying the same quantity of public adresses you can serve more customers (you need just enough addresses for simultaneous users, not total users)

b) a private network accessing the web from a single address, internally redirecting packets to hundreds or thousands if machines

Dice9
  • 29
  • 1
1

Apart from that two computers can be behind a NAT and have the same IP-address, your concept of client needs to be right.

The client is very much NOT the computer you're communicating with, but the browser running on that computer.

Your browser doesn't care much about which ip-address your computer has, your operating system does. And that's why you can't rely on ip-addresses. The browser does care about cookies and they're under the browsers control. That's why you use cookies for sessions.

Pieter B
  • 12,867
  • 1
  • 40
  • 65