W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Re: 3 Proposals: session ID, business-card auth, customer auth

From: Marc Hedlund <hedlund@best.com>
Date: Tue, 18 Jul 1995 23:46:12 -0700
Message-Id: <v02120d01ac32587473c0@[204.156.156.16]>
To: www-talk@w3.org
[a session-id can compromise user privacy...]
>1) By tracking a user from one host to another to another  -- all they
>need do is find one occurrence where the user provides identifying
>information
[...]
>2) By observing patterns of behavior that reduce the possible user
>sample to one small enough wherein identity can be obtained.
[...]
>3) By associating an invariant marker with each request, the request
>set as a whole can be analyzed for other invariant markers that
>distinguish that browser from others.

Certainly (1) and to some extent (2) could be made less bothersome by
resetting the session-id with each new site to which a request is sent
(that is, a session id is invariant for all requests to a particular site,
from client startup to termination, but required to vary in requests to
each new site).  Wasn't this proposed during the discussion of session-id
in January/February?  I'm not seeing a need for the session-id to remain
constant between different sites.

Marc Hedlund <hedlund@best.com>
Received on Wednesday, 19 July 1995 02:48:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:17 GMT