From: Greg Broiles <gbroiles@netbox.com>
Date: Thu, 18 Jul 1996 15:28:58 +0800
To: cypherpunks@toad.com
Subject: Re: Cookie alternatives
Message-ID: <2.2.16.19960717095113.23f7981c@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain


Hal Finney wrote:

>It is interesting to consider how shopping carts might be done without
>cookies and similar technologies which allow servers to get more
>information about me than necessary.

One partial solution would be to turn cookies into nonces - instead of
using server-supplied cookies, which may or may not contain hashed/hidden
information, client software (and by extension, the human(s) in charge of it) could control the generation and modification of cookies.

Some cookie uses are predictable - e.g., "Put the current date and time in the cookie", or "Put the user's E-mail address in the cookie". The user could be presented with dialog boxes asking "Server sneaky.tricky.com would like to set a cookie which will record the date and time of this visit. OK?" or "Server sneaky.tricky.com would like Netscape to generate a random number to keep track of your visits. OK?" A switch from server-generated cookies to client-generated cookies shouldn't involve too many changes on the client software side.

(One danger which occurs to me about such a scheme is the potential leakage of client state information, assuming that the algorithm used to generate the pseudorandom cookies is or will be known to attackers.) 

--
Greg Broiles                |"Post-rotational nystagmus was the subject of
gbroiles@netbox.com         |an in-court demonstration by the People
http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt
                            |Studdard." People v. Quinn 580 NYS2d 818,825.