I haven’t tried sessions, yet. But I’m curious if you can work
with sessions without using cookies.
Some people don’t accept cookies. And it’s good style to avoid
the use of cookies.
Something like an appended “;sessionid=63297469326” to the URL
can be seen with many systems which use sessions without cookies.
Seemed to work fine for me when I had “Always allow session
cookies” (and others of course) disabled in IE6. Hadn’t checked
this (neither the code) thoroughly though.
Sab
“Stefan Scholl” stefan.scholl@brave.de wrote in message news:ao1amv$1u5$2@frost.brave.de…
I haven’t tried sessions, yet. But I’m curious if you can work
with sessions without using cookies.Some people don’t accept cookies. And it’s good style to avoid
the use of cookies.Something like an appended “;sessionid=63297469326” to the URL
can be seen with many systems which use sessions without cookies.
Haven’t tried it, but I’ve read the source:
Rewrite rule (Apache), which transforms the
“;sessionid=63297469326” into something like
“?_session_id=63297469326”.
Then every link the HTML code must have the
“;sessionid=63297469326” appended to it.
Stefan Scholl stefan.scholl@brave.de wrote:
Some people don’t accept cookies. And it’s good style to avoid
the use of cookies.
Something like an appended “;sessionid=63297469326” to the URL
can be seen with many systems which use sessions without cookies.
Uhm, if the user has disabled cookies, it’s a good bet that they would
rather not be tracked by you moving the data from the cookies to the
URL.
It’s good style to keep your URL’s clean and independent of underlying
implementation details. It’s not good style to depend on session
tracking in general usage. It’s perfectly reasonable to demand cookies
be accepted to personalise a site.
Some people don’t accept cookies. And it’s good style to avoid the use
of cookies.
Leibowitz’s Rule:
When hammering a nail, you will never hit your finger if you
hold the hammer with both hands.
Stefan Scholl stefan.scholl@brave.de wrote in message news:ao1amv$1u5$2@frost.brave.de…
I haven’t tried sessions, yet. But I’m curious if you can work
with sessions without using cookies.
sessions and cookies are married topics. A “session” is data indexed
by a key sent to a client in a cookie.
From RFC 2109:
This document describes a way to create stateful
sessions with HTTP requests and responses. Currently,
HTTP servers respond to each client request without
relating that request to previous or subsequent requests;
the technique allows clients and servers that wish to
exchange state information to place HTTP requests and
responses within a larger context, which we term a "session".
This context might be used to create, for example, a
"shopping cart", in which user selections can be aggregated
before purchase, or a magazine browsing system, in which a
user's previous reading affects which offerings are presented.
- http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html
~ Patrick
Some people don’t accept cookies. And it’s good style to avoid
the use of cookies.
“Good style”? Doesn’t that depend on what you’re trying to accomplish?
It’s nice when a site provides an alternative way to maintain state when cookies
are turned off, but massive URL strings are a kludge for passing data around if
cookies are available, and they’re not persistent between visits.
James
Stefan Scholl stefan.scholl@brave.de wrote:
Uhm…you mean unlike Amazon?
On Tuesday, 15 October 2002 at 6:29:41 +0900, Thomas Hurst wrote:
- Stefan Scholl (stefan.scholl@brave.de) wrote:
Some people don’t accept cookies. And it’s good style to avoid the use
of cookies.Uhm, if the user has disabled cookies, it’s a good bet that they would
rather not be tracked by you moving the data from the cookies to the
URL.It’s good style to keep your URL’s clean and independent of underlying
implementation details. It’s not good style to depend on session
tracking in general usage. It’s perfectly reasonable to demand cookies
be accepted to personalise a site.
You know you’re a little fat if you have stretch marks on your car.
– Cyrus, Chicago Reader 1/22/82
Cookies are permanent per default.
We have a different culture and laws regarding privacy in Germany
and the EU. Maybe that’s the reason why some people in this
newsgroup don’t see the problem here.
Thomas Hurst tom.hurst@clara.net wrote:
- Stefan Scholl (stefan.scholl@brave.de) wrote:
Some people don’t accept cookies. And it’s good style to avoid the use
of cookies.Uhm, if the user has disabled cookies, it’s a good bet that they would
rather not be tracked by you moving the data from the cookies to the
URL.
patrick-may@monmouth.com (Patrick May) writes:
Stefan Scholl stefan.scholl@brave.de wrote in message news:ao1amv$1u5$2@frost.brave.de…
I haven’t tried sessions, yet. But I’m curious if you can work
with sessions without using cookies.sessions and cookies are married topics. A “session” is data indexed
by a key sent to a client in a cookie.
Not necessarily; it’s possible to track a session without using cookies.
URL rewriting is one obvious technique, but I’m sure there are others.
-=Eric
–
Come to think of it, there are already a million monkeys on a million
typewriters, and Usenet is NOTHING like Shakespeare.
– Blair Houghton
Given Amazon are known for utterly horrible URL’s that mean very little
and which are a pain to copy and paste for others without knowing what
other information you’re copying for them, yes, highly unlike Amazon.
On Tuesday, 15 October 2002 at 6:29:41 +0900, Thomas Hurst wrote:
It’s good style to keep your URL’s clean and independent of
underlying implementation details. It’s not good style to depend
on session tracking in general usage. It’s perfectly reasonable to
demand cookies be accepted to personalise a site.Uhm…you mean unlike Amazon?
I have seen the Great Pretender and he is not what he seems.
Uhm, if the user has disabled cookies, it’s a good bet that they
would rather not be tracked by you moving the data from the cookies
to the URL.Cookies are permanent per default.
No, cookies live for the browser session by default.
We have a different culture and laws regarding privacy in Germany and
the EU. Maybe that’s the reason why some people in this newsgroup
don’t see the problem here.
Cookies are easy to control and manipulate in most browsers. I can
choose:
To disallow tracking me completely
To allow you to track me only until I reopen my browser
To allow you to track me only if you are on a trusted list of sites
(or not on an untrusted one)
To only allow you to track me if your site has a p3p privacy policy
I can look at.
To disallow other sites you might link to from tracking me, e.g.
banner adverts
To allow you to track me normally
It’s also trivial to log and keep an eye on what cookies are being set.
With URI-encoded cookies, I have one choice which I can realistically
automate:
I can perhaps edit it manually to thwart you, but this is often easier
said than done (e.g. Amazon’s URI’s) and easy to forget.
Now, which do you think are better for privacy? Cookies with exact
known specifications which you can ACL and filter fairly arbitarily
depending on your privacy needs, or URI-encoded cookies you can’t turn
off and which a site can easily choose (without telling you) to leak to
other sites?
Thomas Hurst tom.hurst@clara.net wrote:
Expect a letter from a friend who will ask a favor of you.
Eric Schwartz emschwar@fc.hp.com wrote in message news:eto8z0ry3zr.fsf@narsil.emschwar…
Not necessarily; it’s possible to track a session without using cookies.
URL rewriting is one obvious technique, but I’m sure there are others.
I’m not saying that it’s impossible to track a user without cookies.
But you end up with requirements that are very different from the way
sessions work.
and the big plus for cookie sessions…
A disallowed cookie is more likely to be a privacy decision (doesn’t
want to be tracked) than a technological decision (doesn’t want to use
cookies). Those users are likely to be upset if you go ahead and
track them.
~ Patrick
Perhaps you should learn about cookies before we continue the
discussion.
Thomas Hurst tom.hurst@clara.net wrote:
- Stefan Scholl (stefan.scholl@brave.de) wrote:
Thomas Hurst tom.hurst@clara.net wrote:
Uhm, if the user has disabled cookies, it’s a good bet that they
would rather not be tracked by you moving the data from the cookies
to the URL.Cookies are permanent per default.
No, cookies live for the browser session by default.
I’m not going to get into the privacy debate, but the main problem
with systems that use cookies for session keys is that they don’t tend
to allow for multiple sessions open at once. I always run into
problems, for example, when trying to move money between accounts at
my bank - once I open up the receiving account to check the transfer,
all the pages of the transferring account suddenly break. There are
no doubt ways to avoid this, but as far as I can tell most
cookie-based systems don’t even try.
Avi
Thomas Hurst tom.hurst@clara.net wrote
Now, which do you think are better for privacy? Cookies with exact
known specifications which you can ACL and filter fairly arbitarily
depending on your privacy needs, or URI-encoded cookies you can’t turn
off and which a site can easily choose (without telling you) to leak to
other sites?
One problem I’ve found with cookies, from the viewpoint of web server
design, is that if you make cookies optional, most (more than half)
users will choose to not accept them. If you make the cookies
mandatory, users will accept them, but then a significant percentage
(maybe 10-20%, but I’m handwaving) will delete the cookies between
sessions, or (worse) use software which messes with the cookies in
some way. This makes it very difficult to use them reliably for
tracking.
One nice thing about URL rewriting is that it is wholly implemented on
the server, and therefore it is much easier to control, and requires
no special compliance (or lack of defiance) on the part of the client.
Granted, it is more limited in how it can track users (can’t track
users across dynamic IP addresses), but within its limits it is fairly
foolproof.
My apologies if this is too far off topic, but I wanted to share my
battle scars.
–Mirian
On Tue, 22 Oct 2002 23:37:01 +0900, Patrick May patrick-may@monmouth.com wrote:
Eric Schwartz emschwar@fc.hp.com wrote in message news:eto8z0ry3zr.fsf@narsil.emschwar…
Not necessarily; it’s possible to track a session without using cookies.
URL rewriting is one obvious technique, but I’m sure there are others.I’m not saying that it’s impossible to track a user without cookies.
But you end up with requirements that are very different from the way
sessions work. […]
Netscape’s specification[1]:
expires is an optional attribute. If not specified, the cookie will
expire when the user’s session ends.
RFC 2109, “HTTP State Management Mechanism”[2]:
Max-Age=delta-seconds
Optional. The Max-Age attribute defines the lifetime of the
cookie, in seconds. The delta-seconds value is a decimal non-
negative integer. After delta-seconds seconds elapse, the client
should discard the cookie. A value of zero means the cookie
should be discarded immediately.
…
The user agent applies these defaults for optional attributes that
are missing:
Max-AgeThe default behavior is to discard the cookie when the user
agent exits.
References:
1: News, Politics, Sports, Mail & Latest Headlines - AOL.com
2: http://www.ietf.org/rfc/rfc2109.txt
Thomas Hurst tom.hurst@clara.net wrote:
No, cookies live for the browser session by default.
Perhaps you should learn about cookies before we continue the
discussion.
Fine day to throw a party. Throw him as far as you can.
Thomas Hurst tom.hurst@clara.net writes:
References:
1: News, Politics, Sports, Mail & Latest Headlines - AOL.com
2: http://www.ietf.org/rfc/rfc2109.txt
Yes, please continue using cookies.