W3C home > Mailing lists > Public > www-p3p-dev@w3.org > October 2001

Re: Session Cookies

From: Martin Presler-Marshall <mpresler@us.ibm.com>
Date: Mon, 15 Oct 2001 11:32:09 -0400
To: Gerald_T_Beattie@comerica.com
Cc: www-p3p-dev@w3.org
Message-ID: <OFD646B038.349D9474-ON85256AE6.0054CC7F@raleigh.ibm.com>
     The short answer is, yes, P3P compact policies are intended even for
session cookies which just contain a session ID.

     P3P says that the policy which covers a cookie should cover all data
contained in or linked to by the cookie. Obviously, a session ID is a
unique ID (category <uniqueid/>). It may be linked to other data on the
server side, and the site's policy needs to cover this.
     In general, it's not practical for a site to use individual policies
for each cookie set by the site, or for each application deployed on the
site. Doing so results in a nightmare for managing the policies. Instead,
it's much easier to define a site-wide (or enterprise-wide) privacy policy.
Then you code that policy into a P3P statement and a P3P compact policy,
and apply those policies broadly on the site.

     -- Martin

Martin Presler-Marshall - Program Manager, Privacy Technology
E-mail: mpresler@us.ibm.com     AIM: jhreingold
Phone: (919) 254-7819 (tie-line 444-7819) Fax: (919) 254-6430 (tie-line
444-6430)



                                                                                                                              
                    Gerald_T_Beattie@co                                                                                       
                    merica.com                To:     www-p3p-dev@w3.org                                                      
                    Sent by:                  cc:                                                                             
                    www-p3p-dev-request       Subject:     Session Cookies                                                    
                    @w3.org                                                                                                   
                                                                                                                              
                                                                                                                              
                    10/15/2001 11:03 AM                                                                                       
                                                                                                                              
                                                                                                                              




Java allows a developer to use session objects to track a user.
Behind the scenes the session object uses a session cookie for tracking
purposes.
Since using a session object is just a natural part of Java programming for
the web how are we going to remember to use a compact policy for every
session object?  Are Compact policies intended for session cookies that
just contain a session ID?

Thanks

Jerry
Received on Monday, 15 October 2001 20:53:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 00:12:47 GMT