Re: 3 Proposals: session ID, business-card auth, customer auth

Daniel W. Connolly (
Tue, 18 Jul 1995 21:13:36 -0400

In message <9507182040.AA09151@norquay.Eng.Sun.COM>, James Gosling writes:
>> ******* I. The Request-ID: header field:
>> ******* II. The business-card authentication scheme
>The problem I have with many schemes like this (leaving the ethical
>questions alone for now!) is that they don't work in the face of proxy

No fair! I said there was a requisite IVth part that I didn't have
time to discuss, which is exactly this issue.

> One
>solution to have a header field in the reply that contains
>something like this:
> aggregate-demographics: email-addr
>Which if recieved by a proxy server would cause it to accumulate some
>standard set of useful-but-not-invasive statistics (if such exist!)
>about uses of the page and mail them to the email address on a
>periodic basis.

Yes, let's hammer this out, shall we? HTTP 1.1 will include a
notion of "manditory" stuff. How does one express it? I'll
fudge it for now.

I think HTTP put is as likely a mechanism as email. So perhaps
we'd see:

200 Okie fnokey
Content-Type: text/html
Mandatory: Log-To:
Log-To:; content-type=text/x-CLFF;

<title>cool stuff!</title>

Log-To:; content-type=text/x-CLFF
^^^^^^^^^^^^ ala form ENCTYPE

The interval parameter (in seconds) tells how often to submit the
logs; or, more precisely, how long you can hold onto log data
before giving it to the origin server.