

Ask HN: Why not to bind cookie to IP-address of the user? (Facebook and Tunisia) - pankratiev

This thought came when I read comments about Facebook, passwords and Tunisia http://news.ycombinator.com/item?id=2135563<p>In this case stealing the cookie will not so reasonable. And it can be easily implemented - just store key of the cookie with IP-address of the user on the server-side.<p>What do you think?
======
Khao
It's not possible to do this as with certain ISPs that assign dynamic IPs or
inside large buildings that have multiple outgoing IPs, one user can have a
different IP for different requests made at the same time.

~~~
pankratiev
Ohh, I missed the problem with dynamic IPs. But what about MAC-address, why
browsers don't bind the cookie to the MAC-address of the computer?

~~~
mooism2
Browsers? You mean web servers, surely? Servers don't know the client's mac
address.

~~~
pankratiev
In the post I meant server-side, in my comment I meant client-side.

The general question - why not to bind the cookie to some other identifier of
the user or user's computer to make cookie useless in thief's hands.

~~~
mooism2
In general, the attacking computer can pretend to have the characteristics of
the impersonated computer.

