Re: Session tracking

Gary Adams - Sun Microsystems Labs BOS (
Mon, 1 May 1995 08:12:31 +0500

> Date: Sat, 29 Apr 1995 15:13:26 +0500
> From: (Kee Hinckley)
> Subject: Re: Session tracking
> It does seem to me that the magic-cookie design is very closely tied to
> existing password systems, and in that respect I think it's worth
> considering whether the two mechanisms might be tied together more tightly
> (a user password system with expirations makes perfect sense, for
> instance). I haven't delved into that side of the protocol enough to say
> any more.

This is a very good point, that some of the "identifiers" (session, cookie,
whatever) should have a similar life cycle as security credentials (where
passwds are a valid instance of server side authentication).

> Shopping carts embedded in ids is a cute hack, but it's a red herring. The
> real goal in my mind is to find a way to identify a user without requiring
> them to carry a separate ID for every store they walk into.

It seems to me that a "user centric" view of the web would call for
client side generation of the credentials, that could be reused
at many different storefront businesses.i.e. shopping at a mall
rather than a department store for one stop shopping.