W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Session-Id vs. Cookies

From: Paul Burchard <burchard@horizon.math.utah.edu>
Date: Wed, 26 Jul 95 02:46:08 -0600
Message-Id: <9507260846.AA01361@horizon.math.utah.edu>
To: mwm@contessa.phone.net (Mike Meyer)
Cc: www-talk@w3.org
mwm@contessa.phone.net (Mike Meyer) writes:
> I think I've answered all the issues, except for the one of
> wanting a more structured object in general. Not having
> seen anything on that - except for Cookies - I can't really
> comment on it.

For session-ID functionality, I like your proposal: it's nice and  
simple and gets the job done.  But when such a session-ID mechanism  
starts being used as a way to carry along shopping baskets and other  
complex objects, it is technically obsolete from the start.

Also, I find Netscape-style cookies disturbing for privacy reasons;  
they regress from the principle of providing clear and constant  
feedback about what is being done with the user's input.  "Shopping  
basket" information may even be invisibly transported to a  
completely different server without any visual hint to the naive  

What I want to sketch here is how one might implement cookies  
without abusing HTTP headers.  Moving the cookie out of a header and  
into a genuine HTTP object means first that the cookie can benefit  
from the existing linking, caching, and security mechanisms of HTTP.  
 But in addition to the technical benefits, a linked cookie object  
could be a human readable document, presented to the user in some  
subsidiary way by the user agent, thereby easing the privacy  

The central new ingredient would be a "Cookie" link relationship  
with some rather interesting semantics (admittedly requiring some  
extensions to existing linking concepts).  The "Cookie" relationship  
can be decomposed as the combination "Collective Volatile" of two  
simpler new relationships:

  1.  Collective.  A link of this type is many-to-one, bringing  
together the _collection_ of all source objects linked to the given  
target.  The collection is not just an explicit list, because  
"subtree inheritance" is imposed, so that all objects with URIs in  
the same subtree as a member, are also automatically members of the  
collection.  Assigning a new target to any source in the collection  
causes collective replacement of the target for the entire  

  2.  Volatile.  Neither client nor server are required to maintain  
the link unless it is acknowledged by the other party in each HTTP  
transaction.  In particular, this implies that if the URI of the  
target is itself "volatile" (i.e. does not translate into a URL),  
each side must refresh _both_ the target object and the link in each  

How to implement this?  The volatility rule (2) means that we must  
usually make use of the HTTP "Link:" entity header, in both  
responses and requests, in order to maintain the link.

Furthermore, in the most common scenario, the cookie is a  
client-specific "volatile" object, not maintained on the server.   
For this reason we must use MIME multipart bodies and "cid:" URIs in  
order to transport the linked cookie together with the document in  
each request and response transaction.

Unfortunately, the specification of cid: URIs  
does not seem to be in good enough shape to turn this into a  
concrete proposal just yet (e.g., the "multipart/related" media type  
does not seem to exist according to  
 However, someone more versed in multipart yoga might be able to  
clear this up.

Paul Burchard	<burchard@math.utah.edu>
``I'm still learning how to count backwards from infinity...''
Received on Wednesday, 26 July 1995 04:46:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:32:57 UTC