[Lispweb] session tracking: url rewriting vs cookies
brlewis at alum.mit.edu
Mon Jun 25 08:43:46 CDT 2001
Matt Curtin <cmcurtin at interhack.net> writes:
> I'd prefer to see a cookie-based mechanism for session management.
> URLs are essentially public knowledge, thanks to their appearance in
> various types of log files, headers that can leak to third parties
> (e.g., HTTP referrers, which were mandatory until HTTP 1.1 and are
> still treated that way in many cases), etc.
> Cookies are a Good Thing for the purpose of managing session state.
> carefully, but using them as they were intended is perfectly sensible.
What he said!
Probably just a clarification: Users should consider their use of
cookies carefully when concerned about privacy. For web app developers
implications of a cookie plus the additional implications Matt
mentioned. Some users don't understand this yet, but if at some point
later they are enlightened they won't be happy that you used a worse
scheme than cookies.
When you want a web server to know who you are*, cookies are the right
thing. When you don't, they aren't.
*More precise but less mnemonic wording omitted. Of course not all
cookies reveal your name/address/etc.
Bruce R. Lewis http://brl.sourceforge.net/
More information about the lispweb