Re: Client <-> Server-generated Session IDs

rep@iexist.att.com
Fri, 28 Jul 95 09:00:11 CDT

Terje <Norderhaug.CHI@Xerox.com> wrote:
> At 8:10 AM 7/27/95, rep@iexist.att.com wrote:
> >I must be missing something because I don't see the connection between
> >privacy and the client vs. server generation of a Session ID.[...]
> >As long as our clients allow us to configure them not to send
> >REMOTE_USER and REMOTE_IDENT, the server won't really know who we are, will
> >they?
>
> At some point in time you might find yourself filling out personal
> information in a form. With session ids accross servers it become possible
> to trace your excact steps on the web by merging the entries with the same
> id in the logfiles from the various services. Even more so if the id is
> kept between sessions.
>
> -- Terje <Norderhaug.CHI@Xerox.com>
> <URL:http://www.ifi.uio.no/~terjen/>

Terje:

Thanks for the explanation; now I think I understand the concern. But is
that trace likely in practice? It assumes a) that Session IDs are unique
across the entire Web (at least over the time interval of the trace), b) the
server owners (who might be competing businesses) are willing to
sell/share the log files, and c) it is worth enough to somebody to examine all
the log files of the Web looking for Session ID correlations. It seems to me
that if somebody was that interested, it would be far easier for them to buy or
steal the information from my Internet Service Provider who has access (already
correlated and unambiguously attributed to my PC/workstation) to every packet
sent and received.

Thanks again,
Randy Pitt
rep@iexist.att.com