If you visit a website they will know your IP address. But what about when you change broadband connection?

Solution 1:

It depends on the website, what techniques it uses, and how reliable those techniques are.

The "official" way to recognise a user when they change IP address (or when multiple users share an IP address) is by a cookie. That is, some information generated by the site, stored on the user's machine, and returned to the server each time the user requests a page from that site or a closely-related site. If the IP address changes but the cookie is the same, then the site will reckon that you're the same person. Of course, some sites "bind sessions" to an IP address, which means they'll make you log in again when they detect an IP address change, and perhaps give you a new cookie. Often that's a question of them making sure you're the same person. They already strongly suspected it, and were correct in their suspicion, they're just confirming to make it harder for someone to steal your cookie and hijack your login.

Now, you could choose to delete that cookie (for example perhaps you configured your browser to delete cookies when closed, and at the same time as changing broadband connection you rebooted your machine or at least restarted your browser). Then the site has a harder task identifying you, but there are tricks it can use. Generally it will not admit to you that it has identified you, because it's not using the "official" means, but it might try to identify you for example because:

  • it has trouble with abusive users, so it tries to match up unknown visitors to known abusers
  • it wants to track all users, and chooses not to restrict itself to the official agreed means of doing so

The main means to identify are as follows, each breaks down into many separate tricks and techniques:

  • data stored on your machine other than cookies (https://en.wikipedia.org/wiki/Zombie_cookie, https://en.wikipedia.org/wiki/Evercookie). Sometimes this is more or less legitimate, for example a flash app is likely to use flash cookies without any specific intent to avoid the restrictions of regular browser cookies. Sometimes it's an outright abuse of user privacy.
  • properties of your machine and browser that allow it to be uniquely identified (to a certain confidence) without storing anything at all, aka "fingerprinting": (https://panopticlick.eff.org/, https://en.wikipedia.org/wiki/Device_fingerprint). This is unlikely to happen incidentally: a site doing this knows that it's taking steps to try to identify you even if you don't want to be identified. So it's rare.
  • behaviour of the user (this is available in principle but rarely very practical. It can for example help detect automated web-scrapers that the site wants to block).

Solution 2:

An IP (version 4) address has the following problems if you are using it to track individual users:

  • Many users use an ISP that gives them a temporary DHCP-issued address which can change anytime.

  • Many users are behind a router that uses NAT to allow multiple users to appear to originate from the same IP address.

  • Some users may be using a proxy server to access your website due to a policy of their workplace, ISP, or government.

So, while a well-designed website will still do things like block on the IP level if abuse from a specific IP is detected, the website itself will use cookies to tell users apart.

If a server "sets" a cookie, what is supposed to happen afterward if the client "accepts" that cookie, is that the client sends those cookies back with each future HTTP request (in the HTTP headers).

So, all the server needs to do is "set" a single cookie that has a random value, and preferably is a nonce - a value that can only happen once. Then the client keeps sending it back and it can be used to identify the client.

So, this cookie will determine your session on the server (hence why it is called a session cookie) and will allow the website to connect incoming HTTP requests with a current login, determine if your login has timed out, etc.


An interesting yet not totally relevant thing: Some cross-site scripting attacks try to trick your browser into giving a different website such a session cookie and then using it to do things as if the attacker were logged in as you. A good website can mitigate this by invalidating the session cookie and maybe raising a security alert if it detects a sudden IP change.