Thomas Hurst <tom.hurst / clara.net> wrote

> Now, which do you think are better for privacy?  Cookies with exact
> known specifications which you can ACL and filter fairly arbitarily
> depending on your privacy needs, or URI-encoded cookies you can't turn
> off and which a site can easily choose (without telling you) to leak to
> other sites?

I'm not going to get into the privacy debate, but the main problem
with systems that use cookies for session keys is that they don't tend
to allow for multiple sessions open at once.  I always run into
problems, for example, when trying to move money between accounts at
my bank - once I open up the receiving account to check the transfer,
all the pages of the transferring account suddenly break.  There are
no doubt ways to avoid this, but as far as I can tell most
cookie-based systems don't even try.

Avi