There are several session-ID proposals floating around. Cookies, I think, are  
a dubious way to handle user identification for the future.

One stab at it is:

>1) Session Identification
>Obviously, people today *are* able to do sessions with URL-munging,
>cookies, BASIC auth, etc. It's clear, though,that JEPI will strongly
>suggest a session-identifier to track the state of negotiation.
>Rohit presented the alternatives that have been developed,
>such as "MD5(secret|hostname), counter++". We can create pseudonyms,
>session counters, and so on.  Originally, this was included in 3
>(demographic profiling).
>I think that we need some input from HTTP,the logging & measurement
>groups, and implementors. If we can solve the problem of
>discriminating 'user sessions' (such as multiple windows on a site),
>we should run with one of these solutions.
>Protocol Name:  http://pep.w3.org/Session
>Parameters:     {id MD5(client_secret | scheme://host:port)}
>                {c integer++}
What's missing is a UI to 'scramble' the ID and come in without being  
correlated to past or future visits.


Rohit Khare