W3C home > Mailing lists > Public > www-html@w3.org > November 2001

Re: Is it OK to require per-session cookies?

From: Jonas Jørgensen <jonasj@jonasj.dk>
Date: Sun, 25 Nov 2001 19:47:58 +0100
Message-ID: <3C013CDE.4FFA38FF@jonasj.dk>
To: www-html@w3.org
Christian Wolfgang Hujer wrote:
>
> > A quick question: Do you think it's acceptable to for e-commerce sites
> > to require per-session cookies? It is so much easier to track users with
> > a session cookie than to put the session id in every link and form...
> 
> Personally I think it isn't.
> 
> For instance, in Germany, where I live, the *government* (to be more
> precise, the "Bundesamt für Sicherheit im Internet" (security in the
> internet)) recommends users to disable Cookies and JavaScript for security
> reasons.
> http://www.bsi.bund.de/fachthem/sinet/sinet1.htm (German)

Really? Even per-session cookies? I can easily understand why people are
scared of cookies stored on their hard disks, but aren't per-session
cookies completely harmless?

> I have experience using session ids by url rewriting in Perl, PHP, Java
> Servlets and JSP, and in none of them URL rewriting or hidden form field
> usage is complicate.
> If you use Perl, PHP, Java Servlets or JSP, you may post me your code and I
> will show you how to include URL rewriting for adding session ids.

Unfortunately I have to use ASP. :-(

/Jonas
Received on Sunday, 25 November 2001 13:48:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:49 GMT