Re: 3 Proposals: session ID, business-card auth, customer auth

Daniel W. Connolly (connolly@beach.w3.org)
Tue, 18 Jul 1995 21:13:36 -0400


In message <9507182040.AA09151@norquay.Eng.Sun.COM>, James Gosling writes:
>>
>> ******* I. The Request-ID: header field:
>> ******* II. The business-card authentication scheme
>
>The problem I have with many schemes like this (leaving the ethical
>questions alone for now!) is that they don't work in the face of proxy
>caching.

No fair! I said there was a requisite IVth part that I didn't have
time to discuss, which is exactly this issue.

> One
>solution to have a header field in the reply that contains
>something like this:
>
> aggregate-demographics: email-addr
>
>Which if recieved by a proxy server would cause it to accumulate some
>standard set of useful-but-not-invasive statistics (if such exist!)
>about uses of the page and mail them to the email address on a
>periodic basis.

Yes, let's hammer this out, shall we? HTTP 1.1 will include a
notion of "manditory" stuff. How does one express it? I'll
fudge it for now.

I think HTTP put is as likely a mechanism as email. So perhaps
we'd see:

200 Okie fnokey
Content-Type: text/html
Mandatory: Log-To:
Log-To: mailto:web-logs@wired.com; content-type=text/x-CLFF;
interval=3600

<title>cool stuff!</title>
...

or
...
Log-To: http://www.wired.com/web-logs; content-type=text/x-CLFF
^^^^^^^^^^^^ ala form ENCTYPE

The interval parameter (in seconds) tells how often to submit the
logs; or, more precisely, how long you can hold onto log data
before giving it to the origin server.

Dan