W3C home > Mailing lists > Public > www-html@w3.org > November 2001

Re: Is it OK to require per-session cookies?

From: Thomas Hurst <tom.hurst@clara.net>
Date: Sun, 25 Nov 2001 19:53:55 +0000
To: www-html@w3.org
Message-ID: <20011125195355.GC94254@sploo.aagh.net>
* Jonas Jørgensen (jonasj@jonasj.dk) wrote:

> Christian Wolfgang Hujer wrote:
> >
> > > A quick question: Do you think it's acceptable to for e-commerce
> > > sites to require per-session cookies? It is so much easier to
> > > track users with a session cookie than to put the session id in
> > > every link and form...

With a well designed output layer you should be able to make this fairly
painless..

> > Personally I think it isn't.

I think it is, since it results in cleaner URL's (mod_rewrite etc are
excellent ways to produce sane, easy to remember, obvious usable URI's
that don't depend on however you choose to do things currently - leaving
.asp/.php etc in your URI's mean whenever you choose to change how your
site works, anyone who links to you find they stop working.)

Even if you do choose to include the session ID in the URI, I strongly
recommend designing them in an implimentation independent way, similar
to Amazon - no foo.bar.cgi?dasddsd=dqeewe crap, just clean, well thought
out URI's that would be just as valid with ASP as they will be in JSP.

> > For instance, in Germany, where I live, the *government* (to be more
> > precise, the "Bundesamt für Sicherheit im Internet" (security in the
> > internet)) recommends users to disable Cookies and JavaScript for
> > security reasons. http://www.bsi.bund.de/fachthem/sinet/sinet1.htm
> > (German)
>
> Really? Even per-session cookies? I can easily understand why
> people are scared of cookies stored on their hard disks, but aren't
> per-session cookies completely harmless?

Pretty much - Embedding the session id in the URI, however, can lead to
the user agent spreading it outside your site when they leave by means
of the referer header - Amazon gets around that somewhat by demanding
your password every time you do something.

However, if you're going to be making money out of this, working to
make it as compatible as possible would probably be worthwhile - it's
fair enough if your little news site/weblog/whatever wants cookies to
work fully, but if this is something that's going to potentially loose
you sales, it's probably worth being as careful with how you propagate
session information as you should be with making sure your HTML/CSS work
with every user agent you can get your hands on.

> Unfortunately I have to use ASP. :-(

We feel for you, even if this isn't quite on-topic :)

-- 
Thomas 'Freaky' Hurst  -  freaky@aagh.net  -  http://www.aagh.net/
Received on Sunday, 25 November 2001 14:54:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:49 GMT