httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] What is unique? Access stats and IP's
Date Fri, 05 Sep 2003 14:04:00 GMT
On Fri, 5 Sep 2003, Bill Moran wrote:

> Eric Frazier wrote:
> > Hi,
> >
> > I just wanted to get an opinon. When you consider the idea of a unique
> > vistor, the brain dead way of doing that is to say, one IP one visitor, or
> > one cookie one visitor. But aside from cookies, when using IP address, you
> > do have to take into account that a vistior from an IP address at 8AM may
> > very well not be the same vistor as at 8PM because they are both behind the
> > same firewall/proxy.

It's much worse than that.  Some big sites like AOL use a rotating series
of proxies, so you can easily have multiple hits from the same IP address
within a minute all coming from different people, AND you can have
multiple hits from different IP addresses within a minute all coming from
the same person.  Plus unless you use cache-busting techniques, many of
your "sessions" will have their beginning or ending cut off.

> The problem is rooted in the fact that HTTP was not really intended for
> security, and therefore not really intended for logging.

Huh?  Where do you get that from?

The problem is that HTTP is a stateless protocol.  Each HTTP request looks
completely independent.  This is a major benefit of the protocol in many
different ways, ranging from security to cachability, to the usefulness of
the URL as a reference to an object.

But it obviously makes life more difficult for people who want to keep
state.  The obvious solution is cookies, which are designed exactly to
bridge the state gap.  Unfortunately, somewhat of a hysteria has developed
over cookies.  Session cookies (those that are erased when the browser is
closed) have no real privacy implications, and there is no reason to block
them.  But many people do anyway.  (Cookies do have their disadvantages
for the website operator, however.  For example, they break cachability.)

So what is the solution?  There is no easy one.  If you really need to
track sessions and individual visitors, you can use some combination of
cookies, IP address, URL-path-cookie, referer, and time.  But you'll never
get something perfectly exact.  You'll only get an estimate.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message