[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cookie alternatives

To: [email protected]
Subject: Re: Cookie alternatives
From: Greg Broiles <[email protected]>
Date: Wed, 17 Jul 1996 02:51:13 -0700
Sender: [email protected]

Hal Finney wrote:

>It is interesting to consider how shopping carts might be done without
>cookies and similar technologies which allow servers to get more
>information about me than necessary.

One partial solution would be to turn cookies into nonces - instead of
using server-supplied cookies, which may or may not contain hashed/hidden
information, client software (and by extension, the human(s) in charge of it) could control the generation and modification of cookies.

Some cookie uses are predictable - e.g., "Put the current date and time in the cookie", or "Put the user's E-mail address in the cookie". The user could be presented with dialog boxes asking "Server sneaky.tricky.com would like to set a cookie which will record the date and time of this visit. OK?" or "Server sneaky.tricky.com would like Netscape to generate a random number to keep track of your visits. OK?" A switch from server-generated cookies to client-generated cookies shouldn't involve too many changes on the client software side.

(One danger which occurs to me about such a scheme is the potential leakage of client state information, assuming that the algorithm used to generate the pseudorandom cookies is or will be known to attackers.) 

--
Greg Broiles                |"Post-rotational nystagmus was the subject of
[email protected]         |an in-court demonstration by the People
http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt
                            |Studdard." People v. Quinn 580 NYS2d 818,825.

Prev by Date: Econo Ads 7/16
Next by Date: New MiddleMan Remailer! (reno)
Prev by thread: Re: Cookie alternatives
Next by thread: Government: Home-Business
Index(es):
- Date
- Thread