The short answer is, yes, P3P compact policies are intended even for session cookies which just contain a session ID. P3P says that the policy which covers a cookie should cover all data contained in or linked to by the cookie. Obviously, a session ID is a unique ID (category <uniqueid/>). It may be linked to other data on the server side, and the site's policy needs to cover this. In general, it's not practical for a site to use individual policies for each cookie set by the site, or for each application deployed on the site. Doing so results in a nightmare for managing the policies. Instead, it's much easier to define a site-wide (or enterprise-wide) privacy policy. Then you code that policy into a P3P statement and a P3P compact policy, and apply those policies broadly on the site. -- Martin Martin Presler-Marshall - Program Manager, Privacy Technology E-mail: mpresler@us.ibm.com AIM: jhreingold Phone: (919) 254-7819 (tie-line 444-7819) Fax: (919) 254-6430 (tie-line 444-6430) Gerald_T_Beattie@co merica.com To: www-p3p-dev@w3.org Sent by: cc: www-p3p-dev-request Subject: Session Cookies @w3.org 10/15/2001 11:03 AM Java allows a developer to use session objects to track a user. Behind the scenes the session object uses a session cookie for tracking purposes. Since using a session object is just a natural part of Java programming for the web how are we going to remember to use a compact policy for every session object? Are Compact policies intended for session cookies that just contain a session ID? Thanks JerryReceived on Monday, 15 October 2001 20:53:46 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 00:12:47 GMT