- From: Christian Wolfgang Hujer <Christian.Hujer@itcqis.com>
- Date: Sun, 25 Nov 2001 23:33:35 +0100
- To: <www-html@w3.org>
- Cc: "Thomas Hurst" <tom.hurst@clara.net>, <jonasj@jonasj.dk>
Hello dear list members, dear Thomas, dear Jonas, > -----Original Message----- > * Jonas Jørgensen (jonasj@jonasj.dk) wrote: > > > Christian Wolfgang Hujer wrote: > > > > > > > A quick question: Do you think it's acceptable to for e-commerce > > > > sites to require per-session cookies? It is so much easier to > > > > track users with a session cookie than to put the session id in > > > > every link and form... > > With a well designed output layer you should be able to make this fairly > painless.. > > > > Personally I think it isn't. > > I think it is, since it results in cleaner URL's (mod_rewrite etc are > excellent ways to produce sane, easy to remember, obvious usable URI's > that don't depend on however you choose to do things currently - leaving > .asp/.php etc in your URI's mean whenever you choose to change how your > site works, anyone who links to you find they stop working.) I meant I think it isn't so much easier to use cookies, so we agree :) > Even if you do choose to include the session ID in the URI, I strongly > recommend designing them in an implimentation independent way, similar > to Amazon - no foo.bar.cgi?dasddsd=dqeewe crap, just clean, well thought > out URI's that would be just as valid with ASP as they will be in JSP. > > > > For instance, in Germany, where I live, the *government* (to be more > > > precise, the "Bundesamt für Sicherheit im Internet" (security in the > > > internet)) recommends users to disable Cookies and JavaScript for > > > security reasons. http://www.bsi.bund.de/fachthem/sinet/sinet1.htm > > > (German) > > > > Really? Even per-session cookies? I can easily understand why > > people are scared of cookies stored on their hard disks, but aren't > > per-session cookies completely harmless? > > Pretty much - Embedding the session id in the URI, however, can lead to > the user agent spreading it outside your site when they leave by means > of the referer header - Amazon gets around that somewhat by demanding > your password every time you do something. And there's a clean way to get around this. It is necessary to prevent the user agent from refering to a page while including the session id as parameter in the Referer header. That's done by rewriting URLs to other sites to a CGI that redirects to the other site but doesn't take the session id as parameter. > However, if you're going to be making money out of this, working to > make it as compatible as possible would probably be worthwhile - it's > fair enough if your little news site/weblog/whatever wants cookies to > work fully, but if this is something that's going to potentially loose > you sales, it's probably worth being as careful with how you propagate > session information as you should be with making sure your HTML/CSS work > with every user agent you can get your hands on. > > > Unfortunately I have to use ASP. :-( > > We feel for you, even if this isn't quite on-topic :) Yes, we do :) Greetings Christian
Received on Sunday, 25 November 2001 17:34:54 UTC