W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Re: Client <-> Server-generated Session IDs

From: <rep@iexist.att.com>
Date: Fri, 28 Jul 95 09:00:11 CDT
Message-Id: <9507281400.AA17613@snowy.lab5523>
To: Norderhaug.CHI@xerox.com, www-talk@w3.org
Terje <Norderhaug.CHI@Xerox.com> wrote:
> At 8:10 AM 7/27/95, rep@iexist.att.com wrote:
> >I must be missing something because I don't see the connection between
> >privacy and the client vs. server generation of a Session ID.[...]
> >As long as our clients allow us to configure them not to send
> >REMOTE_USER and REMOTE_IDENT, the server won't really know who we are, will
> >they?
> 
> At some point in time you might find yourself filling out personal
> information in a form. With session ids accross servers it become possible
> to trace your excact steps on the web by merging the entries with the same
> id in the logfiles from the various services. Even more so if the id is
> kept between sessions.
> 
> -- Terje <Norderhaug.CHI@Xerox.com>
>    <URL:http://www.ifi.uio.no/~terjen/>

Terje:

Thanks for the explanation; now I think I understand the concern.  But is
that trace likely in practice?  It assumes a) that Session IDs are unique
across the entire Web (at least over the time interval of the trace), b) the
server owners (who might be competing businesses) are willing to
sell/share the log files, and c) it is worth enough to somebody to examine all
the log files of the Web looking for Session ID correlations.  It seems to me
that if somebody was that interested, it would be far easier for them to buy or
steal the information from my Internet Service Provider who has access (already
correlated and unambiguously attributed to my PC/workstation) to every packet
sent and received.

Thanks again,
Randy Pitt
rep@iexist.att.com
Received on Friday, 28 July 1995 23:01:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:18 GMT