26

I know we have some extra advantages in using the cookies over IP address, but my question is Why can't the container just remember the IP address of the client in identifying the client when he visit his site again? Is it possible for the container to remember the client with the help of IP address?

Robert Harvey
  • 200,592
Srikanth nadimpally
  • 1,202

5 Answers5

81

A client is identified by a cookie as well as the IP address. However, the IP address cannot be used exclusively:

  • What if two clients are located behind the same NAT firewall or proxy? They will have the same external IP address to the server.
  • What if a user has two different browsers open on the same machine, and wants two separate sessions (maybe for testing?)
  • A user may have a dynamic IP address which conceivably could change during a session.
  • An attacker may be able to spoof an IP address and take over a session if it relied on IP address alone.

This means an IP address does not uniquely identify a client in all cases.

18

Sometimes you can use IP address.

If you're on a LAN or are otherwise dealing exclusively with users that have IP's statically distributed to single clients, using that address is perfectly fine -- sometimes preferable and necessary.

But, usually you can't.

If you're running a public site, most of the IP addresses that hit your server aren't static or dedicated. Most of them represent multiple clients: Your desktop, laptop, and cellphone all go out over the same IP address when you're on your home network. And that IP can change -- even mid-session.

svidgen
  • 15,252
10

Three more reasons to add:

  1. Multiuser workstations and terminal servers exist. Many users could be running completely independent browser processes in separate sessions.
  2. IP addresses aren't persistent. It could be reassigned when a DHCP lease expires.
  3. The application should support roaming. For example, a user on a phone might drop out of WiFi range and get handed off to a 3G connection. The IP address would change, but it would be nice to let the web application keep working.
200_success
  • 1,578
2

Using IP address as identifier is generally not recommended, as it is not what IP address is meant for - functionally it is a plain address for routing from a to b, and it tells nothing what is before a or after b.

In example, same IP address may be shared by a number of natted devices, most common cases being

a) a provider dynamically assigning a pool of addresses to its customers, that is quite common as buying the same quantity of public adresses you can serve more customers (you need just enough addresses for simultaneous users, not total users)

b) a private network accessing the web from a single address, internally redirecting packets to hundreds or thousands if machines

Dice9
  • 29
  • 1
1

Apart from that two computers can be behind a NAT and have the same IP-address, your concept of client needs to be right.

The client is very much NOT the computer you're communicating with, but the browser running on that computer.

Your browser doesn't care much about which ip-address your computer has, your operating system does. And that's why you can't rely on ip-addresses. The browser does care about cookies and they're under the browsers control. That's why you use cookies for sessions.

Pieter B
  • 13,310