[Prev][Next][Index][Thread]

Problems with cookies and sessionID





"James E. Calloway" <jcallowa@nando.net> on Fri, 29 Mar 1996 wrote

>problems ... in the cookie approach to session ID? 


I believe problem with the current cookie spec is that it can not
store cookie definitions between sessions.  This can be both a
positive and negative aspect.  It does restrict sites from flooding
your system with cookies to be stored across sessions which is good.
The negative is that the client is not allowed to define cookies.  One
way to enable across session storage is to enable the client to define
a cookie for any domain/path combination.  It could be quite simple by
having the client software read an init-file at start up.

At the same time, I believe the client should be able to define and
own cookies, say with a reserved domain "Internal".  You can also
create a global (read-only) cookie by introducing a permission
attribute.  If the two preceeding extensions are present, the client
can generate (if the routine is added to the software) ID's and
maintain ownership while making the information available to other
domain/paths.

I have been struggling with the idea of using a cookie in a logging
scheme.  The result is a method based on my own and some ideas that I
have seen on the Net, currently called the LogTo collection method.
An example in the LogTo document uses a cookie scheme using extensions
to the current cookie spec.

Magnus

--

Document refs:

An extended version of Netscape's cookie specification with the above
mentioned additions:

    http://www.sbm.temple.edu/~magnus/ext_cookie_spec.html


The LogTo collection method and an example of how a logging scheme
using cookies can be implemented can be found in the document:

    http://www.sbm.temple.edu/~magnus/logto.html


The current front door leading to the above documents:

    http://www.sbm.temple.edu/~magnus/measure.html

----------------------
Magnus Mengelbier

Sweden + (0)40-29 39 12
email:  magnusm@maths.lth.se
        magnusm@ibm.net