Quote Originally Posted by d34dl0k1
Webservers can't grab MAC addresses, and IP addresses can fluctuate. IP based authentication is only feasible when your audience never changes.

Regardless of that, MAC spoofing is trivial, IP spoofing is more complicated. MAC addresses are only used at the data link layer...
What if web servers COULD get the MAC address (it was passed in with the HTTP header)? Right now the only unique information about the client is that stored in the User-Agent portion of the header. That could be used instead of a MAC, but using a MAC would be much safer. I appriciate that IP addresses fluctuate, but not at a significant rate. Chances are high that a session will expire prior to your machine releasing its DHCP address. Even if your machine does release the DHCP address, DHCP is based on caching, so you will most likely get the same address again. If you have multiple IP addresses on the same computer, things will probably get a little bit more complicated... Any suggestion as to how to handle that case?

In the end of the day, the goal is to create additional security layers. Right now, gainning access to an account is as simple as copying and pasting information. Like d34dl0k1 mentioned, there are lots of web services out there that fall victim to poor session management. They can claim that it isnt their fault, but in fact they should still attempt to preventing such an attack.