- From: John Kemp <john@jkemp.net>
- Date: Mon, 26 Sep 2011 10:17:19 -0400
- To: Thomas Roessler <tlr@w3.org>
- Cc: "L. David Baron" <dbaron@dbaron.org>, Noah Mendelsohn <nrm@arcanedomain.com>, Karl Dubost <karld@opera.com>, Jeni Tennison <jeni@jenitennison.com>, "www-tag@w3.org List" <www-tag@w3.org>
On Sep 26, 2011, at 7:27 AM, Thomas Roessler wrote: > On 2011-09-25, at 18:59 +0100, L. David Baron wrote: > >> That said, I keep hearing about how sites are or may be using other >> methods to track users (flash local shared objects, fingerprinting), >> possibly in combination with each other. > > There are significant pieces of today's Web Architecture that depend on keeping a certain amount of client state — in-browser caching comes to mind as a rather fundamental example. > > If there is sufficiently high-entropy client side state, and if that state can be accessed by a web application (using JavaScript code or HTTP or something else), then tracking is technically possible. The problem is that users (whether laymen or IT professionals) expect that when they click 'logout' or 'remove my cookies', their 'session' state with that site is removed. I certainly have that expectation too. After all, a session should be a session. Not some indefinite period of time. What is the valid need for 'client state' when the client is not working on my behalf at the server (ie. I am logged-in at that site?) - John
Received on Monday, 26 September 2011 14:20:18 UTC