Can Tracking Cookies break Anonymity?

[NGRhodes]

Quote:

Originally Posted by Cutting_Edgetech

Can a tracking cookie be engineered to record all IP addresses used by a particular user when visiting a website, and then pass that information back to that website each time a user visits the website again? If this is possible then ones anonymity could be broken if a user had visited the website before while using their ISP's connection without their VPN connected. I would think it is, and maybe already in use by bad tracking cookies.

This is a topic I am familiar with as a web developer as we actually check ip addresses do not change to reduce fraudulent/hijacked/automated registrations and it has been know to break with AOL users even as recent as 2011.

You need to transmit your IP address to a website initially before the server sends any information back (how else will it know where to send the return data), so a tracking cookie only needs to hold a unique id and everytime that cookie is read you can be associated with your current ip address.

If you changed your connection whilst in the SAME browsing session, the session will not automatically change (unless the server is coded to match session and IP addresses) and as a result your different IP addresses will be transmitted to the webserver, no tracking cookie needed and be associated as the same user because the session has not changed.
And note you can track session from cookie OR using querystring appended to the end of the URL (like Wilderssecurity does for unauthenticated users).

The only safe way is to destroy active browsing sessions and cookies when changing IP address.

Cheers, Nick.