JavaScript considered harmful (was Re: New online index to Beazley's tutorials)

Aahz Maruch aahz at panix.com
Tue Jan 8 10:24:54 EST 2002 

In article <p1E_7.108711$2b1.4493771 at atlpnn01.usenetserver.com>,
Steve Holden <sholden at holdenweb.com> wrote:
>"Aahz Maruch" <aahz at panix.com> wrote in message
>news:a1evr7$i5l$1 at panix3.panix.com...
>> In article <mailman.1010497332.23208.python-list at python.org>,
>> Mark McEahern <marklists at mceahern.com> wrote:
>>>Aahz:
>>>>
>>>> So how do you handle it when users don't permit cookies?  You refuse to
>>>> let them have customized pages?  You still need a session ID in the URL.
>>>> Why not just give them a bookmarkable page?
>>>
>>>one approach would be to require at least session cookies.
>>
>> Why?  That's stupid.  Too many sites misuse cookies, so lots of people
>> turn cookies off.  Alex's point about cookies for storing login
>> information across sessions at least makes some sense for persistent
>> storage, but cookies for sessions IDs is absurd.
>
>This seems a little like a hobby-horse to me. If you are prepared to pass
>session IDs across the Internet in clear then you surely run a certain
>amount of risk of having sessions hijacked by snoopers. Security's relative,
>and while I object to the abuse of cookies for third-party web access
>tracking that doesn't mean they don't have some legitimate uses.

If you can encrypt a cookie-based session ID, you can encrypt an
URL-based or form-based session ID -- and I have.  Conversely, just
because something is a cookie doesn't mean that it's safe.  C'mon Steve,
I'm surprised at you.

>If someone can't use a cookie-enabled site because they don't accept cookies
>then that's their choice, and I'm certainly not going to try to limit their
>freedom.

I'm simply pointing out that using cookies doesn't gain site developers
much (if anything) and that *requiring* cookies loses users.  If that's
what they want, fine -- but most developers don't even *understand* this
yet.

>The REAL problem is with browsers that cheerfully respond with cookies to
>servers other than the source of the HTML page they are currently rendering.
>If every browser would allow this behavior to be switched off (and had it
>switched off by default) then the "1-pixel camera" trick would be a spent
>force and we could all stop having these discussions.

Not much argument from me.
-- 
                      --- Aahz  <*>  (Copyright 2002 by aahz at pobox.com)

Hugs and backrubs -- I break Rule 6                 http://www.rahul.net/aahz/
Androgynous poly kinky vanilla queer het Pythonista   

"There are time when effort is important and necessary, but this should
not be taken as any kind of moral imperative."  --jdecker

More information about the Python-list mailing list