Either you store it in a cookie which the browser passes to the server for you, or you store it in a url parameter and you (or your html / temp laying Generation framework, or some JavaScript manipulation) needs to ensure all links or other server calls like POST, will need to include that session ID passed back to the server.
And this talk about IP addresses is complete nonsense because of Proxies and NAT and a ton of other reasons. You can attempt to use it in combination with a session ID, but you certainly cannot use that alone.
Actually for most people, the browser sends enough information in the headers, ignoring cookies, to identify them as unique. You can check out an experiment about this at https://www.amiunique.org/fingerprint. Combining that with an ip gets you pretty close.
Well that’s still a form of session ID. But you are saying things like “most people” and “pretty close”, so it’s not a very good session ID, since it’s not guaranteed to be unique.
First of all, this comment chain is about being able to keep tabs on someone without storing information locally on the user’s computer. If we create a new form of session ID equivalent that doesn’t store information locally, I have achieved the goal to the problem that was raised. The issue wasn’t whether or not we needed concept of something equivalent to a session ID.
[…] will need to include that session ID passed back to the server.
Yes, that’s exactly what we used to do in the '00s. Look at softwares like osCommerce v1 and 2. We literally put money behind this method of tracking.
And this talk about IP addresses is complete nonsense because of Proxies and NAT and a ton of other reasons. You can attempt to use it in combination with a session ID, but you certainly cannot use that alone.
Yes, you can use that alone. Without session ID. The other commenter already addressed why this isn’t true. Also context matters. Pretty close is a good enough of a session ID replacement for purpose of tracking whether or not they consented to the cookie policy. If I did a concat of IP, and various fingerprints (and put a hash on it to make it shorter), I can easily reach one in trillion probabilities. I wouldn’t build a secure military website on it because it’s easily forgeable, but it’s more than enough for cookie policy popup.
Session ID is stored by the client. So…? I literally just explained how to hold uniqueness on server side without using session ID.
Tbf you still have a session ID.
Either you store it in a cookie which the browser passes to the server for you, or you store it in a url parameter and you (or your html / temp laying Generation framework, or some JavaScript manipulation) needs to ensure all links or other server calls like POST, will need to include that session ID passed back to the server.
And this talk about IP addresses is complete nonsense because of Proxies and NAT and a ton of other reasons. You can attempt to use it in combination with a session ID, but you certainly cannot use that alone.
Actually for most people, the browser sends enough information in the headers, ignoring cookies, to identify them as unique. You can check out an experiment about this at https://www.amiunique.org/fingerprint. Combining that with an ip gets you pretty close.
Well that’s still a form of session ID. But you are saying things like “most people” and “pretty close”, so it’s not a very good session ID, since it’s not guaranteed to be unique.
First of all, this comment chain is about being able to keep tabs on someone without storing information locally on the user’s computer. If we create a new form of session ID equivalent that doesn’t store information locally, I have achieved the goal to the problem that was raised. The issue wasn’t whether or not we needed concept of something equivalent to a session ID.
Yes, that’s exactly what we used to do in the '00s. Look at softwares like osCommerce v1 and 2. We literally put money behind this method of tracking.
Yes, you can use that alone. Without session ID. The other commenter already addressed why this isn’t true. Also context matters. Pretty close is a good enough of a session ID replacement for purpose of tracking whether or not they consented to the cookie policy. If I did a concat of IP, and various fingerprints (and put a hash on it to make it shorter), I can easily reach one in trillion probabilities. I wouldn’t build a secure military website on it because it’s easily forgeable, but it’s more than enough for cookie policy popup.
The point is that it’s a cookie.