Re: Session-ID from James Calloway on 1996-02-29 (www-logging@w3.org from February 1996)

From: James Calloway <jcallowa@nando.net>
Date: Thu, 29 Feb 1996 14:53:25 -0500
To: www-logging@w3.org
Cc: jcallowa@nando.net
Message-Id: <31360435.377D@nando.net>

> 
>    * To: www-logging@w3.org
>    * Subject: Session-ID
>    * From: Rohit Khare <khare@pest.w3.org>
>    * Date: Fri, 16 Feb 96 14:29:26 -0500
>    * From khare@pest.w3.org Fri Feb 16 14: 28:07 1996
>    * Reply-To: khare@w3.org
> 
> ----------------------------------------------------------------------
> 
> There are several session-ID proposals floating around. Cookies, I think, are
> a dubious way to handle user identification for the future.
> 
> One stab at it is:
> 
> >1) Session Identification
> >
> >Obviously, people today *are* able to do sessions with URL-munging,
> >cookies, BASIC auth, etc. It's clear, though,that JEPI will strongly
> >suggest a session-identifier to track the state of negotiation.
> >
> >Rohit presented the alternatives that have been developed,
> >such as "MD5(secret|hostname), counter++". We can create pseudonyms,
> >session counters, and so on.  Originally, this was included in 3
> >(demographic profiling).
> >
> >I think that we need some input from HTTP,the logging & measurement
> >groups, and implementors. If we can solve the problem of
> >discriminating 'user sessions' (such as multiple windows on a site),
> >we should run with one of these solutions.
> >
> >Protocol Name:  http://pep.w3.org/Session
> >Parameters:     {id MD5(client_secret | scheme://host:port)}
> >                {c integer++}
> 
> What's missing is a UI to 'scramble' the ID and come in without being
> correlated to past or future visits.
> 
> Thoughts?
> 
> Rohit Khare

Identification of a session probably should be kept separate from the 
identification of a user. The former should be automatic, the latter 
voluntary. In other words, don't even attempt to use a meaningful ID to 
track the session.

Simple approach would be for the browser to generate a "dynamic cookie," 
an otherwise meaningless number that is preserved only for the duration 
of the session (from start to quit of the browser). The number should be 
sufficiently large and random so that the chances of getting a duplicate 
are insignificant.


-- 
James Calloway, General Manager    http://www.nando.net
Nando.net, a McClatchy New Media company
127 W. Hargett St., Suite 406, Raleigh, NC 27601-1351
Voice: (919) 836-2858  FAX: (919) 836-2814

Received on Thursday, 29 February 1996 14:52:09 UTC