W3C home > Mailing lists > Public > www-html@w3.org > November 2001

Re: Is it OK to require per-session cookies?

From: Thomas Hurst <tom.hurst@clara.net>
Date: Mon, 26 Nov 2001 12:25:27 +0000
To: www-html@w3.org
Message-ID: <20011126122527.GB98976@sploo.aagh.net>
* Christian Wolfgang Hujer (Christian.Hujer@itcqis.com) wrote:

> I meant I think it isn't so much easier to use cookies, so we agree :)

Ease is overrated :)

Nice document about the rationale behind URI design:
http://www.w3.org/Provider/Style/URI.html

> > Pretty much - Embedding the session id in the URI, however, can lead
> > to the user agent spreading it outside your site when they leave by
> > means of the referer header - Amazon gets around that somewhat by
> > demanding your password every time you do something.
>
> And there's a clean way to get around this. It is necessary to prevent
> the user agent from refering to a page while including the session id
> as parameter in the Referer header. That's done by rewriting URLs to
> other sites to a CGI that redirects to the other site but doesn't take
> the session id as parameter.

Indeed, that also allows you to count external links, but it does
increase the load on the server, and if you forget some can slip
through.  There's also the possibility of broken clients which send
referer headers when the user accesses a bookmark or types in a new
address.  Relying on particular client behaviour is probably a bad idea,
although the same can be said for cookies and kiddies accessing them via
JS or so - the obvious solution would be to make sure a session alone
isn't much use to anyone.

Hence, how Amazon always asks for a password before you do anything.  IP
tracking and restrictive login timeouts should take care of forms.

-- 
Thomas 'Freaky' Hurst  -  freaky@aagh.net  -  http://www.aagh.net/
Received on Monday, 26 November 2001 07:25:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:49 GMT