How Apache identifies clients/browsers?

[alluoshi]

Hi guys. I would like to know how Apache identifies clients/browsers. If many users are accessing a multi-user web application through Apache at the same time from their browsers, what is the method that Apache uses to identify each client or even each browser on the same machine?

[corbin]

There is no reliable way to know who/what is connecting to a server.  HTTP is a very trusting protocol (because it has to be, not because it has a flaw [in that respect]).

 

Apache doesn't specifically ID clients/browsers.  It knows the IP address, and it knows the headers the client sent.  That's all it knows.  It only knows what the client tells it.  And all of the information is very, very easily fake-able.

 

"what is the method that Apache uses to identify each client or even each browser on the same machine?"

 

That could be told by IP address (although, IP addresses can be the same for computers behind a router too, so it could actually be multiple computers).  There's no solid way to know if a subsequent, or even a concurrent request is from the same machine.

[alluoshi]

After doing some experiments and testing the log file, I noticed that each client/browser is identified by a token. But this token comes from php and not from Apache. As you said, Apache knows the ip address of the client but a client might use many browsers on the same machine. So do you think that the identification of each client comes from php or any server side scripting?

[corbin]

It's probably PHP sessions.