- From: Marc Hedlund <hedlund@best.com>
- Date: Tue, 18 Jul 1995 23:46:12 -0700
- To: www-talk@w3.org
[a session-id can compromise user privacy...] >1) By tracking a user from one host to another to another -- all they >need do is find one occurrence where the user provides identifying >information [...] >2) By observing patterns of behavior that reduce the possible user >sample to one small enough wherein identity can be obtained. [...] >3) By associating an invariant marker with each request, the request >set as a whole can be analyzed for other invariant markers that >distinguish that browser from others. Certainly (1) and to some extent (2) could be made less bothersome by resetting the session-id with each new site to which a request is sent (that is, a session id is invariant for all requests to a particular site, from client startup to termination, but required to vary in requests to each new site). Wasn't this proposed during the discussion of session-id in January/February? I'm not seeing a need for the session-id to remain constant between different sites. Marc Hedlund <hedlund@best.com>
Received on Wednesday, 19 July 1995 02:48:24 UTC