Re: cookie draft available from hallam@w3.org on 1996-04-19 (ietf-http-wg@w3.org from April to June 1996)

From: <hallam@w3.org>
Date: Thu, 18 Apr 96 20:22:09 -0400
To: Dave Kristol <dmk@allegra.att.com>
Cc: hallam@w3.org, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9604190022.AA12993@zorch.w3.org>

>  > The implementation limits of 300 cookies and 20 per host seem a bit
>  > high (think of our friends writing the browser on the PDA), what
>  > went into that number?  (Depending on how you viewed sessions, for example,
>  > you could say 20 per host and 20 total--each session ending when you
>  > went to a new host.  That would be really limiting, obviously, but why
>  > 300?)
>Good point.  The numbers come from the original Netscape proposal.  Lou
>Montulli felt that application writers needed some certainty about what
>a client could save.  I don't have a good defense for 300 specifically.

I think that 300 is high if the cookies are to be used for state maintenance.
But if sitres want to use them for demographic data traking they will want many 
more. It is enough of a pain in the ass to have to log into the ney york times 
every day as it is.

If on the other hand we introduce client generated unlinkable session IDs
much of the demographic data excahnge stuff can be done with them instead and
cookies can be confined to operations that actually need state. This would mean 
that a person with a PDA could probably function at shopping malls etc with a 
very small number of cookies (20).

There is another benefit. Flushing the cookie cache need not disrupt the session 
information. Imagine the poor looser with a PDA is having hassle with an 
interaction. A very natural need would be to want to "reset" the connection and 
start from scratch. 

I'm minded of the Apple Mac problem here. I loath using Macs because they tend 
to be very opinionated about saving me from myself. This is all very well if the 
system is bug free. But when you hit a bug on a Mac you are likely to end up 
having to reboot because the system is waiting for an event that is never going 
to happen. I've often wanted a button to bypass some stupid warning box 
demanding that an application really quit rather than try to save files on a 
disk I took out of the machine for very good reasons. I think we need to provide 
the user with a way to avoid having to flush usefull information when trying to 
reset the system after loosing with some CGI monkey's broken perl scripts.


	Phill

Received on Thursday, 18 April 1996 17:27:24 UTC