- From: Martin Presler-Marshall <mpresler@us.ibm.com>
- Date: Mon, 15 Oct 2001 11:32:09 -0400
- To: Gerald_T_Beattie@comerica.com
- Cc: www-p3p-dev@w3.org
The short answer is, yes, P3P compact policies are intended even for
session cookies which just contain a session ID.
P3P says that the policy which covers a cookie should cover all data
contained in or linked to by the cookie. Obviously, a session ID is a
unique ID (category <uniqueid/>). It may be linked to other data on the
server side, and the site's policy needs to cover this.
In general, it's not practical for a site to use individual policies
for each cookie set by the site, or for each application deployed on the
site. Doing so results in a nightmare for managing the policies. Instead,
it's much easier to define a site-wide (or enterprise-wide) privacy policy.
Then you code that policy into a P3P statement and a P3P compact policy,
and apply those policies broadly on the site.
-- Martin
Martin Presler-Marshall - Program Manager, Privacy Technology
E-mail: mpresler@us.ibm.com AIM: jhreingold
Phone: (919) 254-7819 (tie-line 444-7819) Fax: (919) 254-6430 (tie-line
444-6430)
Gerald_T_Beattie@co
merica.com To: www-p3p-dev@w3.org
Sent by: cc:
www-p3p-dev-request Subject: Session Cookies
@w3.org
10/15/2001 11:03 AM
Java allows a developer to use session objects to track a user.
Behind the scenes the session object uses a session cookie for tracking
purposes.
Since using a session object is just a natural part of Java programming for
the web how are we going to remember to use a compact policy for every
session object? Are Compact policies intended for session cookies that
just contain a session ID?
Thanks
Jerry
Received on Monday, 15 October 2001 20:53:46 UTC