Re: Session tracking from John Franks on 1995-05-10 (www-talk@w3.org from May to June 1995)

From: John Franks <john@math.nwu.edu>
Date: Wed, 10 May 1995 16:49:45 -0500
To: www-talk@w3.org
Message-Id: <199505102149.QAA23233@hopf.math.nwu.edu>

In article <199505101847.OAA15272@hapeville.cc.gatech.edu>, you write:
> 
> Jared Rhine writes on Wed, 10 May 1995 00:12:32 -0700:
> 
> > [The topic was session-tracking proposals, esp the proposed "Session-ID"
> > header.]
> >
> >  JP> 1) identify sessions (esp. from firewalled domains)
> >  JP> [...]
> >  JP> If the 'From:' field is widely used, you'd have what you wanted(1).
> >
> > No, I don't believe so, because one of the stated requirements is that we be
> > able to identify sessions without compromising the identity of the user.
> > 
> > If this is the case, I fail to see how current HTTP practices allow for
> > session tracking as you claim:
> 
> >  JP> My point is that the protocol does not need to be changed to handle
> >  JP> session(1) &/or user identification(2) - WWW browsers/interfaces need
> >  JP> to pass the right information.
> >


There is a very good session-id/session-tracking/shopping basket proposal
from Netscape.  And the best thing about it is it already implemented in
recent Netscape browsers.  I must say it is great to have an HTTP proposal
that is actually implemented rather than just talked about.  Thanks Netscape.

Basically the server uses a header like

Set-Cookie: name=opaque; expires=date; path=xxx; domain=xxx

The client caches this until the end of session if there is no "epires"
field and until the expiration date otherwise (across sessions).  The
client returns one or more 

Cookie: name=opaque

headers when it makes a request in the domain/path realm.  This works
very well for lots of things.  In particular the MCI shopping area
uses this for their shopping baskets.  Details of this proposal were
posted a while back in www-talk.  Until then I had been wondering how
the shopping baskets worked.

The posting by Lou Montulli proposed that this be added to HTTP 1.1
and I certainly hope it will.  It is a good proposal and is just too
useful to lose by getting bogged down in politics!

There is support for this in the Netsite servers (presumably) and the
latest version of WN has support.  I think that NCSA and CERN servers
should pass the Cookie: header to a CGI environment variable so an
nph-  CGI script should work with them.  Try it out.

-- 

John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

Received on Wednesday, 10 May 1995 17:48:50 UTC