Unverifiable Client Identity

A recurring identity-tracking failure where user context is derived from mutable, attacker-controlled client inputs (e.g., HTTP headers), so authenticity can’t be verified and tracking becomes unreliable across requests and sessions.