There can be number of ways security and auditing can be implemented in any application. It can be done at Application Level, or at Application Server level or at Database Server Level. And I think best practice is to take advantage of all 3 based on user requirement, as we all know that having little “extra” security always generates burden on system as a whole. Actually it really depends on user requirement, for example some simple quote request form will not have that security features as any bank transaction form will have. (you got the point, right ??)
One way to track user is by IP address. IP stands for Internet Protocol which is basically used to relay (send/receive) information (in form of packets) to network (or internet). It lives at Internet Layer in Protocol Stack. And when any machine is connected in network (here I will use network and internet terms interchangeably for sake of simplicity) it is assigned a unique IP address based on which that machine can be identified. For example 184.108.40.206 will take us to www.Google.com which is more human readable name which is actually an address of a computer that is running Google search engine. (in reality they never use static IP for security, I think it is some sort of proxy server that route requests to main server, this technology has changed very much since the invention of internet) … oki, back to main topic. In short if we get IP address of user, we can always identify user from that because in enterprise network usually each machine is assigned to that person only.