W3C home > Mailing lists > Public > www-html@w3.org > November 2001

RE: Is it OK to require per-session cookies?

From: Christian Wolfgang Hujer <Christian.Hujer@itcqis.com>
Date: Sun, 25 Nov 2001 23:33:35 +0100
To: <www-html@w3.org>
Cc: "Thomas Hurst" <tom.hurst@clara.net>, <jonasj@jonasj.dk>
Message-ID: <000001c17601$38b64a00$0295e23e@andromeda>
Hello dear list members, dear Thomas, dear Jonas,

> -----Original Message-----
> * Jonas Jørgensen (jonasj@jonasj.dk) wrote:
> > Christian Wolfgang Hujer wrote:
> > >
> > > > A quick question: Do you think it's acceptable to for e-commerce
> > > > sites to require per-session cookies? It is so much easier to
> > > > track users with a session cookie than to put the session id in
> > > > every link and form...
> With a well designed output layer you should be able to make this fairly
> painless..
> > > Personally I think it isn't.
> I think it is, since it results in cleaner URL's (mod_rewrite etc are
> excellent ways to produce sane, easy to remember, obvious usable URI's
> that don't depend on however you choose to do things currently - leaving
> .asp/.php etc in your URI's mean whenever you choose to change how your
> site works, anyone who links to you find they stop working.)
I meant I think it isn't so much easier to use cookies, so we agree :)

> Even if you do choose to include the session ID in the URI, I strongly
> recommend designing them in an implimentation independent way, similar
> to Amazon - no foo.bar.cgi?dasddsd=dqeewe crap, just clean, well thought
> out URI's that would be just as valid with ASP as they will be in JSP.
> > > For instance, in Germany, where I live, the *government* (to be more
> > > precise, the "Bundesamt für Sicherheit im Internet" (security in the
> > > internet)) recommends users to disable Cookies and JavaScript for
> > > security reasons. http://www.bsi.bund.de/fachthem/sinet/sinet1.htm
> > > (German)
> >
> > Really? Even per-session cookies? I can easily understand why
> > people are scared of cookies stored on their hard disks, but aren't
> > per-session cookies completely harmless?
> Pretty much - Embedding the session id in the URI, however, can lead to
> the user agent spreading it outside your site when they leave by means
> of the referer header - Amazon gets around that somewhat by demanding
> your password every time you do something.
And there's a clean way to get around this. It is necessary to prevent the
user agent from refering to a page while including the session id as
parameter in the Referer header. That's done by rewriting URLs to other
sites to a CGI that redirects to the other site but doesn't take the session
id as parameter.

> However, if you're going to be making money out of this, working to
> make it as compatible as possible would probably be worthwhile - it's
> fair enough if your little news site/weblog/whatever wants cookies to
> work fully, but if this is something that's going to potentially loose
> you sales, it's probably worth being as careful with how you propagate
> session information as you should be with making sure your HTML/CSS work
> with every user agent you can get your hands on.
> > Unfortunately I have to use ASP. :-(
> We feel for you, even if this isn't quite on-topic :)
Yes, we do :)


Received on Sunday, 25 November 2001 17:34:54 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:05:58 UTC