Re: session-id redux

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Marc Hedlund: "Re: session-id redux"
• Previous message: Dave Hollander: "Re: session-id redux"
• Maybe in reply to: Brian Behlendorf: "session-id redux"
• Next in thread: Darren New: "Re: session-id redux"

As opposed to Session-Id's which are much more widely implemented. If we
are able to get the information that this is Joe Bingo clicking, do we
really need to know what session it is? Joe Bingo accessed our site now,
and an hour ago. What difference does it make if he closed down his browser
between accesses? I think Session-IDs are of questionable value if we have
From: information.

Seems to me From: should be a required header of HTTP 1.x, and that users
have should have the option of sending over a legit email address or
"anonymous". I can see the preferences check box now.

>> You're probably right, there are benefits for 'knowing your customer'. So
>> run an Xterm app on your users' displays, or run a telnet-able bbs site,
>> hack HTTP into a stated machine with CGI scripts (or a specialized server)
>> and the From: header.

>The first two are not acceptable. xterm apps and bbs increase the user
>complexity and reduce the robustness of the user interface. They do not

Telnet is no more complex nor less accessable than the web. And Xterminal
applications are much more robust and customizable than the web in terms of
user interface. You have complete control of presentation on the user's
system. I like what the internet chess servers do. Distributing customized
applications for more advanced interfaces beyond what's available over an
ASCII-only telnet line. Trying to run a Chess interface on the web for the
Internet Chess Server isn't likely to work very well if at all.

I suppose after Java, (and/or keep-alives and/or push-pull,) life as we know
it will change drastically.

>I could hack HTTP and will probably have to. I suspect that I will end
>up with session-munged-URLs even though I believe this to be a fools path.
>[...]
>My point, and the original poster's, was that this group may wish to see
>that ad-hoc solutions to session issues are not in the best interest of
>the web and should be addressed.

Well, just using the term 'ad-hoc solution' automatically puts something in
bad light. Yes, HTTP currently is poor when it comes to session issues. And?

It just seems to me that complaining that HTTP isn't friendly towards
supporting stated devices is like complaining that your screwdriver won't
pound in nails. Get a hammer.

Of course, the above is all *extremely* opinionated commentary. Feel free
to ignore.
-----
Dan DuBois, Software Animal ddubois@spyglass.com
(708) 505-1010 x532 http://www.spyglass.com/~ddubois/

• Next message: Marc Hedlund: "Re: session-id redux"
• Previous message: Dave Hollander: "Re: session-id redux"
• Maybe in reply to: Brian Behlendorf: "session-id redux"
• Next in thread: Darren New: "Re: session-id redux"