Re: lynx-dev http referer problem

[Klaus Weide]

On Fri, 25 Feb 2000, David Woolley wrote:
[kw:]
> > If you need to have session semantics, using cookies would be a better
> > way to implement this - cookies were invented for this purpose.
> 
> 1) In most cases where session semantics are required, rather than 
> click trail data mining, you can embed the session ID in the URLs - the
> one argument against this is where you want to track a session across
> static pages, in which case it breaks cacheability.  Embedding the
> session ID works on all browsers.  Cookies are a privacy issue, because
> most cookies you receive are not used to form sessions, but to 
> correlate your accesses between sessions, for market research
> purposes.  (Non-persistent cookies are normally used only for sessions.)

I was of course assuming that the pages would only use non-permanent cookies,
and would adequately explain to users why they should turn cookies on so
that they can make an informed decision...

> 2) The main reasons for insisting on Referer are not normally sessions
> but:
> 
> - security by obscurity [snip]
> - deep linking protection [snip]

For both of these, I would still say that implementing them with "Referer"
checking is tantamount to giving some sort of "seesion" meaning to the
"Referer" header.  (Entering through the "approved" entrance door establishes
a session; accessing a page without the right "Referer" is taken as proof
that a session has not been established.)

> Note that some of the commonly available web server log analysis programs
> make a feature of using form URL keywords from Referer to provide reports
> on which AltaVista, etc., keywords were used to find the site.  This, of
> course, is one of the invasion of privacy issues.

Yes, a good reason for not making REFERER_WITH_QUERY:SEND the default.

   Klaus