Re: 3 Proposals: session ID, business-card auth, customer auth

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Daniel DuBois: "Re: 3 Proposals: session ID, business-card auth, customer auth"
• Previous message: Joel Crisp: "Re: File upload from a Web browser"
• In reply to: Daniel W. Connolly: "3 Proposals: session ID, business-card auth, customer auth"
• Next in thread: Daniel DuBois: "Re: 3 Proposals: session ID, business-card auth, customer auth"

> One might argue (in fact, one has argued: Hi Henrik!) that this is an
> extension of the From: field, and these data belong there. I don't
> believe so: if the From: field is present, it should contain a valid
> email address of the requesting user (clearly the server cannot depend
> on the authenticity of the From: field, but that doesn't mean we
> should corrupt it further in the protocol spec).

What I have pointed out is that a `random' number is merely an anonymous
substitute for the From: field. It would be the same as allowing anything as
a valid value in the From: field. As far as I recall, the definition of the
field in 822 pretty much accepts anything as a valid address. However, this
is just to clarify the meaning of a "session" ID (what ever a session is) - I
don't intend to actually suggest the overload of the From: field.

> Even though the session ID is random, there may be privacy concerns:
> some folks leave their browser running for a long time, and this
> mechanism might allow unwanted correlations to be observed. So perhaps
> there should be a preference to turn this feature off.

Then we are back to the From field ;-)

Are there any experience about using the Referer: header to analyze user
patterns? It is correct that it doesn't indicate discontinuous browsing (and
have other limitations), but I would think that continous browsing is a goal
so that users don't have to type in URLs (or even see them).

> But I believe it is cost effective: just like the junk-mail
> advertisements in your Visa bill envelope help reduce the annual
> fee on that Visa card, providing extra information in requests
> will allow information providers to increase their quality of service
> by more accurately modelling the usage of their information.

It would be unfortunate to send 'junk-mail' in HTTP - it is already very
verbose, and round trips _are_ an important factor. The only advantage in my
mind of using an ID instead of a Referer field is that it might in fact be
shorter...

--

Henrik Frystyk                                          frystyk@W3.org
World-Wide Web Consortium,                              Tel + 1 617 258 8143
MIT/LCS, NE43-356					Fax + 1 617 258 8682
77 Massachusetts Avenue
Cambridge MA 02154, USA

• Next message: Daniel DuBois: "Re: 3 Proposals: session ID, business-card auth, customer auth"
• Previous message: Joel Crisp: "Re: File upload from a Web browser"
• In reply to: Daniel W. Connolly: "3 Proposals: session ID, business-card auth, customer auth"
• Next in thread: Daniel DuBois: "Re: 3 Proposals: session ID, business-card auth, customer auth"