Re: Re: Re: The sound of one cookie (not) authenticating

Arturo:

You hit the nail on the head with my issues here, and why I'm somewhat stumped. This isn't an exercise, and I think probably a lot of people with minimal e-commerce sites are in my situation, though they may not be as much of a purist as I.

I may end up just going back to cookies. I do like the "store session id in form data" idea mentioned a couple of answers back, though I need to think fully through the security ramifications.

I'll report back on what I decide to do.

Comment on Re: Re: Re: The sound of one cookie (not) authenticating

Replies are listed 'Best First'.
Re: Re: Re: Re: The sound of one cookie (not) authenticating by arturo (Vicar) on Apr 03, 2001 at 17:32 UTC
Not that I meant to be yelling "homework!" 'Cos even if it was homework, I think you're asking the right kind of question in the right kind of way (it's not a 'write this code for me' kind of question, it's a "how the heck would I do this?" question). AFA cookies and 'purism' go, since the cookie is used only to verify that this is indeed the same client program as before (and otherwise holds no info about the user), you could tell your users that your site uses cookies, for what purpose, and tell them that they're not otherwise used to track the user or gather information about them. Give them links to erase their sessions, etc. Last gasp: I don't know how user gives you payment information, but if you have SSL, there's some more session ID possibility in that ... Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Re: The sound of one cookie (not) authenticating
by arturo (Vicar) on Apr 03, 2001 at 17:32 UTC

Not that I meant to be yelling "homework!" 'Cos even if it was homework, I think you're asking the right kind of question in the right kind of way (it's not a 'write this code for me' kind of question, it's a "how the heck would I do this?" question).

AFA cookies and 'purism' go, since the cookie is used only to verify that this is indeed the same client program as before (and otherwise holds no info about the user), you could tell your users that your site uses cookies, for what purpose, and tell them that they're not otherwise used to track the user or gather information about them. Give them links to erase their sessions, etc.

Last gasp: I don't know how user gives you payment information, but if you have SSL, there's some more session ID possibility in that ...

Philosophy can be made out of anything. Or less -- Jerry A. Fodor

[reply]