In the field, I'm always asked, "why can't we just use the IP address to sessionize?" Well, this is a bad idea for several reasons. To first understand why, it's important to realize what you sessionizing means. In the state-less HTTP protocol, we have to create states for individual web users so that the back-end servers hosting the sites keep track of who you are, where you've been on their site, and what you are doing. Without saving state, eCommerce would be nearly impossible, since the site would have no recollection of you adding something to your shopping cart on the last page! So, this is typically dealt with using cookies on the browser side, along with a randomly generated code on the application server side. Typical off-the-shelf application servers like Apache JBOSS/Tomcat, IBM Websphere, and Oracle WebLogic might recommending using a variable called JSESSIONID. Developers are free to use whatever they prefer, however.
That said, it's still not clear to many why IP addresses won't work just as well. For instance, on my iPhone I have an external IP address from Verizon that is unique in the world. My IP address is unique to me and me only. Shouldn't that be unique enough to bundle pages together for a replay? Well, yes. And this would work sometimes. In fact, it's the default way that FxM sessionizes until you change it. However, there are many reasons this could become a problem:
- At home I have one IP address from Verizon FiOS that sees the outside world. What if my wife and I are BOTH ordering from Amazon at the same time? Wouldn't that show up as the same session in FxM and FxV? Yes, it would. Instead we have separate session IDs on separate computers so there is no problem.
- What about large companies that concentrate internal IPs to one external IP? Also very common. From the eCommerce site's perspective, all those hits are coming from the same IP but could represent scores of users.
- China has the "great firewall" where there are only a handful of external IP addresses users are piped through.
- AOL is the example I want to highlight here. America On-Line is still a huge ISP presence in the world. They do something called IP Multiplexing. This is where they DO give each user an externally routable IP address on the Internet, HOWEVER, they bundle several of them together at their ISP "hubs" and some of those IPs are shared. The multiplexing logic at their facilities (probably NAT) know how to keep the packets separate but the Internet doesn't. This means that sessionizing by IP wouldn't work in this case either.
Check the picture below and you'll see that several of the grouped IP addresses (4th column from right) are the same but the browser type is different. This validation from FxV is definitely caused by the AOL multiplexing issue. Each line represents an individual user session but with the proper sessionizing it won't matter.
--Jason
Jason Trunk is an end-user performance expert with Quest Software and can be reached on Twitter @EarlofURL