Client <-> Server-generated Session IDs

rep@iexist.att.com
Thu, 27 Jul 95 11:10:12 CDT

I must be missing something because I don't see the connection between
privacy and the client vs. server generation of a Session ID.

The Session ID must be the same during a "session" (otherwise, what's the
point?), which means that a server or CGI adjunct that's interested will be
able to correlate all the selections made; enabling everything from
(possibly) interesting and profitable interactive services to collection of
marketing information that may be illegal and/or may be an
invasion of privacy. But how is this mitigated if the client
defines the Session ID? Doesn't the same ability to correlate exist? If so,
then it seems to me that server (and/or CGI script) generation is the simplest
solution (with a new environment variable to pass the returned ID to the
next CGI script).

And even with this correlation, how does the server or adjunct know who
I am (and thus be able to invade my privacy)? It can't rely on REMOTE_HOST and
REMOTE_ADDR. For some clients, they provide an unambiguous identification,
but for many (many? nearly all?) they do not; all of us behind the firewall
look the same. As long as our clients allow us to configure them not to send
REMOTE_USER and REMOTE_IDENT, the server won't really know who we are, will
they?

Regards,
Randy Pitt
rep@iexist.att.com