The way to do this are sessions, not cookies. And sessions work even in the absence of cookies (read up on URL rewriting, which is supported by the
servlet specification).
And yes, using IP addresses has numerous problems that render this approach unusable in the general case.