[Lispweb] session tracking: url rewriting vs cookies

Matt Curtin cmcurtin at interhack.net
Sun Jun 24 20:41:59 CDT 2001


>>>>> "Lyn" == Lyn A Headley <laheadle at cs.uchicago.edu> writes:

  Lyn> I think I'm going to add cookie-based sessions to IMHO, but if
  Lyn> anyone has a better idea to support the general/personal
  Lyn> dichotomy with caching, I'd love to hear it.

I'd prefer to see a cookie-based mechanism for session management.
URLs are essentially public knowledge, thanks to their appearance in
various types of log files, headers that can leak to third parties
(e.g., HTTP referrers, which were mandatory until HTTP 1.1 and are
still treated that way in many cases), etc.

Cookies are a Good Thing[1] for the purpose of managing session state.
Abuse of cookies is, of course, one reason to consider their use
carefully, but using them as they were intended is perfectly sensible.


Footnotes: 
[1]  Well, to the degree that a Good Thing is possible atop the
     bizarre stateless beast known as HTTP.

-- 
Matt Curtin, Founder  Interhack Corporation  http://web.interhack.com/
"Building the Internet, Securely." research | development | consulting



More information about the lispweb mailing list