Re: Disavowing Legal Liability [OT] from Ken Martin on 2001-09-21 (www-p3p-policy@w3.org from September 2001)

From: Ken Martin <ken@kpmartin.com>
Date: Fri, 21 Sep 2001 10:47:39 -0500
To: <www-p3p-policy@w3.org>
Message-ID: <B7D0CB4B.16DB8%ken@kpmartin.com>

on 9/20/01 5:23 PM, Andreas Färber at andreas.faerber@web.de wrote:

> Did I say you SHOULD track sessions a different way? :) I'm quite sure I
> only said, in other words, that if you insisted on using only Cookies you
> would have to live with the consequences resulting from rejected Cookies
> back then, now and from now on in case you didn't provide an alternative way
> of moving your data around.

My only point is that the emergence of IE6+P3P was a *brand new* risk. Not a
very well advertised risk, I might add.

We accept the risk of failing on pre-3 browsers.
We accept the risk of failing if a user has cookies off.
We accept the risk of a cookie being spoofed.

All of those and many more were foreseeable and we could assess the risk vs.
benefit, but you seem to be presenting the odd concept of "use the standards
(such as rfc2109), but beware we may decide to add to, change or alter them
at any time in a fashion that may break or render difficult to implement a
previously compliant use of a standard. And if we do, don't complain."

What good are standards then?

<http://www.w3.org/Protocols/rfc2109/rfc2109> tells me how to use cookies
and I'd thought we had implemented this well.

As far as your general session philosophy (which I tend to agree with),
don't forget that there are problems with server-side session tracking too,
as even the above referenced doc notes:

"Of course, using a database creates some problems that this state
management specification was meant to avoid, namely:

     1.  keeping real state on the server side;

     2.  how and when to garbage-collect the database entry, in case the
         user agent terminates the session by, for example, exiting."

We have load-balanced servers, and a *huge* amount of DB traffic (because
every single page is unique... it's the nature of our service), so when
assessing the pros and cons of yet more DB traffic vs cookie shortcomings,
the cookies won and have served well.

This *new* restriction on an old protocol *is* a difficulty. Likely simply a
problem with my implementation, but so far not easily discernable.
Thankfully, some here have offered to help with my specific issue, and I
really appreciate that.

Ken Martin

Received on Friday, 21 September 2001 11:54:29 UTC