Re: Session-Id

Koen Holtman (
Tue, 25 Jul 1995 16:29:32 +0200 (MET DST)

John Franks:
>In article <>, Koen Holtman writes:
>> However, the redirection (3xx) feature in HTTP would allow cooperating
>> service providers to obtain (session-id for server,session-id
>> for server pairs where both are known (with 100% accuracy) to
>> originate from the same user agent.
>Can you explain this? I don't understand how redirection affects
>these issues.

Take a browser that has session id SA for and SB for Now
suppose the user clicks the link, which results in a
request to with session-id SA. Instead of serving a gif picture, now redirects the browser to the URL ,
embedding the session-id SA just recieved in the URL. The bin/grab_id
script on now extracts the session-id SB from the request
headers, the session-id SA from the URL, logs (SA,SB), and then serves the
gif (or redirects back to a which serves
the gif).

Result: knows the pair (SA,SB), and this allows and to
match clicktrails. The browser user will generally not notice that he just
gave away some privacy.

Come to think of it, the same scheme is possible without redirect, by
serving a page with an inline picture with URL

To fix this privacy problem, the browser can omit sending session-id's when
resolving redirection and loading inline images.

Of course, this will not stop and from using less accurate
and/or less stealthy methods of matching clicktrails.

>John Franks Dept of Math. Northwestern University