W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Re: 3 Proposals: session ID, business-card auth, customer auth

From: Henrik Frystyk Nielsen <frystyk@w3.org>
Date: Tue, 18 Jul 1995 09:01:00 -0400 (EDT)
To: "Daniel W. Connolly" <connolly@beach.w3.org>
Cc: Brian Behlendorf <brian@organic.com>, Terry Myerson <tmyerson@iserver.interse.com>, www-talk@w3.org
Message-Id: <Pine.3.89.9507180730.A3535-0100000@www20>

On Tue, 18 Jul 1995, Daniel W. Connolly wrote:

> One might argue (in fact, one has argued: Hi Henrik!) that this is an
> extension of the From: field, and these data belong there. I don't
> believe so: if the From: field is present, it should contain a valid
> email address of the requesting user (clearly the server cannot depend
> on the authenticity of the From: field, but that doesn't mean we
> should corrupt it further in the protocol spec).

What I have pointed out is that a `random' number is merely an anonymous
substitute for the From: field. It would be the same as allowing anything as
a valid value in the From: field. As far as I recall, the definition of the
field in 822 pretty much accepts anything as a valid address. However, this
is just to clarify the meaning of a "session" ID (what ever a session is) - I
don't intend to actually suggest the overload of the From: field. 
> Even though the session ID is random, there may be privacy concerns:
> some folks leave their browser running for a long time, and this
> mechanism might allow unwanted correlations to be observed. So perhaps
> there should be a preference to turn this feature off.

Then we are back to the From field ;-)

Are there any experience about using the Referer: header to analyze user
patterns? It is correct that it doesn't indicate discontinuous browsing (and
have other limitations), but I would think that continous browsing is a goal
so that users don't have to type in URLs (or even see them).

> But I believe it is cost effective: just like the junk-mail
> advertisements in your Visa bill envelope help reduce the annual
> fee on that Visa card, providing extra information in requests
> will allow information providers to increase their quality of service
> by more accurately modelling the usage of their information.

It would be unfortunate to send 'junk-mail' in HTTP - it is already very
verbose, and round trips _are_ an important factor. The only advantage in my
mind of using an ID instead of a Referer field is that it might in fact be


Henrik Frystyk                                          frystyk@W3.org
World-Wide Web Consortium,                              Tel + 1 617 258 8143
MIT/LCS, NE43-356					Fax + 1 617 258 8682
77 Massachusetts Avenue
Cambridge MA 02154, USA
Received on Tuesday, 18 July 1995 09:01:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:32:57 UTC