- From: Thomas Hurst <tom.hurst@clara.net>
- Date: Sun, 25 Nov 2001 19:53:55 +0000
- To: www-html@w3.org
* Jonas Jørgensen (jonasj@jonasj.dk) wrote: > Christian Wolfgang Hujer wrote: > > > > > A quick question: Do you think it's acceptable to for e-commerce > > > sites to require per-session cookies? It is so much easier to > > > track users with a session cookie than to put the session id in > > > every link and form... With a well designed output layer you should be able to make this fairly painless.. > > Personally I think it isn't. I think it is, since it results in cleaner URL's (mod_rewrite etc are excellent ways to produce sane, easy to remember, obvious usable URI's that don't depend on however you choose to do things currently - leaving .asp/.php etc in your URI's mean whenever you choose to change how your site works, anyone who links to you find they stop working.) Even if you do choose to include the session ID in the URI, I strongly recommend designing them in an implimentation independent way, similar to Amazon - no foo.bar.cgi?dasddsd=dqeewe crap, just clean, well thought out URI's that would be just as valid with ASP as they will be in JSP. > > For instance, in Germany, where I live, the *government* (to be more > > precise, the "Bundesamt für Sicherheit im Internet" (security in the > > internet)) recommends users to disable Cookies and JavaScript for > > security reasons. http://www.bsi.bund.de/fachthem/sinet/sinet1.htm > > (German) > > Really? Even per-session cookies? I can easily understand why > people are scared of cookies stored on their hard disks, but aren't > per-session cookies completely harmless? Pretty much - Embedding the session id in the URI, however, can lead to the user agent spreading it outside your site when they leave by means of the referer header - Amazon gets around that somewhat by demanding your password every time you do something. However, if you're going to be making money out of this, working to make it as compatible as possible would probably be worthwhile - it's fair enough if your little news site/weblog/whatever wants cookies to work fully, but if this is something that's going to potentially loose you sales, it's probably worth being as careful with how you propagate session information as you should be with making sure your HTML/CSS work with every user agent you can get your hands on. > Unfortunately I have to use ASP. :-( We feel for you, even if this isn't quite on-topic :) -- Thomas 'Freaky' Hurst - freaky@aagh.net - http://www.aagh.net/
Received on Sunday, 25 November 2001 14:54:14 UTC