Re: 3 Proposals: session ID, business-card auth, customer auth

Marc Hedlund (
Tue, 18 Jul 1995 23:46:12 -0700

[a session-id can compromise user privacy...]
>1) By tracking a user from one host to another to another -- all they
>need do is find one occurrence where the user provides identifying
>2) By observing patterns of behavior that reduce the possible user
>sample to one small enough wherein identity can be obtained.
>3) By associating an invariant marker with each request, the request
>set as a whole can be analyzed for other invariant markers that
>distinguish that browser from others.

Certainly (1) and to some extent (2) could be made less bothersome by
resetting the session-id with each new site to which a request is sent
(that is, a session id is invariant for all requests to a particular site,
from client startup to termination, but required to vary in requests to
each new site). Wasn't this proposed during the discussion of session-id
in January/February? I'm not seeing a need for the session-id to remain
constant between different sites.

Marc Hedlund <>