[Lispweb] session tracking: url rewriting vs cookies

brlewis@alum.mit.edu brlewis at alum.mit.edu
Mon Jun 25 08:43:46 CDT 2001


Matt Curtin <cmcurtin at interhack.net> writes:

> I'd prefer to see a cookie-based mechanism for session management.
> URLs are essentially public knowledge, thanks to their appearance in
> various types of log files, headers that can leak to third parties
> (e.g., HTTP referrers, which were mandatory until HTTP 1.1 and are
> still treated that way in many cases), etc.
> 
> Cookies are a Good Thing[1] for the purpose of managing session state.
> Abuse of cookies is, of course, one reason to consider their use
> carefully, but using them as they were intended is perfectly sensible.

What he said!

Probably just a clarification: Users should consider their use of
cookies carefully when concerned about privacy.  For web app developers
it's a no brainer: just use cookies.  URI encoding has all the privacy
implications of a cookie plus the additional implications Matt
mentioned.  Some users don't understand this yet, but if at some point
later they are enlightened they won't be happy that you used a worse
scheme than cookies.

When you want a web server to know who you are*, cookies are the right
thing.  When you don't, they aren't.


*More precise but less mnemonic wording omitted.  Of course not all
 cookies reveal your name/address/etc.

-- 
Bruce R. Lewis				http://brl.sourceforge.net/



More information about the lispweb mailing list