W3C home > Mailing lists > Public > www-tag@w3.org > September 2011

Re: Logging out from Facebook

From: John Kemp <john@jkemp.net>
Date: Mon, 26 Sep 2011 10:17:19 -0400
Cc: "L. David Baron" <dbaron@dbaron.org>, Noah Mendelsohn <nrm@arcanedomain.com>, Karl Dubost <karld@opera.com>, Jeni Tennison <jeni@jenitennison.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <477064E1-F96E-47CB-827A-C4556D49D5AE@jkemp.net>
To: Thomas Roessler <tlr@w3.org>
On Sep 26, 2011, at 7:27 AM, Thomas Roessler wrote:

> On 2011-09-25, at 18:59 +0100, L. David Baron wrote:
> 
>> That said, I keep hearing about how sites are or may be using other
>> methods to track users (flash local shared objects, fingerprinting),
>> possibly in combination with each other.
> 
> There are significant pieces of today's Web Architecture that depend on keeping a certain amount of client state  in-browser caching comes to mind as a rather fundamental example.
> 
> If there is sufficiently high-entropy client side state, and if that state can be accessed by a web application (using JavaScript code or HTTP or something else), then tracking is technically possible.

The problem is that users (whether laymen or IT professionals) expect that when they click 'logout' or 'remove my cookies', their 'session' state with that site is removed. I certainly have that expectation too. After all, a session should be a session. Not some indefinite period of time. What is the valid need for 'client state' when the client is not working on my behalf at the server (ie. I am logged-in at that site?)

- John 
Received on Monday, 26 September 2011 14:20:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:39 GMT