[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev http referer problem
From: |
Klaus Weide |
Subject: |
Re: lynx-dev http referer problem |
Date: |
Sun, 27 Feb 2000 16:32:47 -0600 (CST) |
On Fri, 25 Feb 2000, David Woolley wrote:
[kw:]
> > If you need to have session semantics, using cookies would be a better
> > way to implement this - cookies were invented for this purpose.
>
> 1) In most cases where session semantics are required, rather than
> click trail data mining, you can embed the session ID in the URLs - the
> one argument against this is where you want to track a session across
> static pages, in which case it breaks cacheability. Embedding the
> session ID works on all browsers. Cookies are a privacy issue, because
> most cookies you receive are not used to form sessions, but to
> correlate your accesses between sessions, for market research
> purposes. (Non-persistent cookies are normally used only for sessions.)
I was of course assuming that the pages would only use non-permanent cookies,
and would adequately explain to users why they should turn cookies on so
that they can make an informed decision...
> 2) The main reasons for insisting on Referer are not normally sessions
> but:
>
> - security by obscurity [snip]
> - deep linking protection [snip]
For both of these, I would still say that implementing them with "Referer"
checking is tantamount to giving some sort of "seesion" meaning to the
"Referer" header. (Entering through the "approved" entrance door establishes
a session; accessing a page without the right "Referer" is taken as proof
that a session has not been established.)
> Note that some of the commonly available web server log analysis programs
> make a feature of using form URL keywords from Referer to provide reports
> on which AltaVista, etc., keywords were used to find the site. This, of
> course, is one of the invasion of privacy issues.
Yes, a good reason for not making REFERER_WITH_QUERY:SEND the default.
Klaus