Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: Re: Cookies at XML Europe 2004 -- Call for Participation
 Your privacy argument is fairly bogus -- the cookie still gets sent on the wire in the clear with every request. In any case, there is a difference between passing "private data" as state between client and server on every request (which is bad whether done with cookies or URL) and using a session token to match a client with server state, which is what I described. The latter is absolutely essential in any non-trivial web application. I'll admit that there are reasons you would prefer to store a session token in a cookie rather than URL, but not for the reasons you describe (referrers can be easily managed). Embedding state (especially transient state prone to expiration such as authentication) makes it difficult to bookmark things, compare URIs, etc -- in short violates REST. > -----Original Message----- > From: Bob Wyman [mailto:bob@w...] > Sent: Monday, January 05, 2004 2:35 PM > To: Joshua Allen; 'Rich Salz'; 'Elliotte Rusty Harold' > Cc: 'Edd Dumbill'; 'David Kunkel'; 'XML-DEV' > Subject: RE: Re: Cookies at XML Europe 2004 -- Call for > Participation > > Joshua Allen wrote: > > The login token stored in the cookie > > can always be embedded in the URL path, > One of the original motivations for doing cookies was to > remove "state information" from the URL so that it wouldn't compromise > privacy by showing up in referral string information. If you embed > "cookies" in URL's you end up leaking private data between sites. This > is not good. > See www-talk archives for 1994 or so to see the discussions on > "state management" (i.e. cookies). > > bob wyman 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
