Re: cache cookies?

[Wham Bang <wham_bang () YAHOO COM>]

Hi,

--- Lincoln Yeoh <lyeoh () pop jaring my> wrote:
> At 01:40 PM 12/18/00 -0800, Wham Bang wrote:
>
> [...]
>
> So you can write an entire arbitrary html document into a user's
> cache (Doh
> :) ).
> [Generate a uniquely named frame/image per user.]

Why yes, I think there are probably easier ways to "tag" users,
if that's all you wish to do.  (Another option is to have the
same image at the bottom of every page and have whatever
generates that image use a different Etag header per user,
as discussed in http://www.linuxcare.com.au/mbp/meantime/.)

One of the advantages of the "cache cookie" method is that
any page can find out your ID by running a simple bit of javascript.
This javascript is always the same, so one doesn't need to generate
every page on the fly to include some sort of session identifier
somewhere.  It is also cross-domain.

BTW, since you control access to the images that will be retrieved
for the "off" bits (not in cache), I believe you can make this a lot
more reliable than the samples that try to find out whether or not
you've visited some *other* site. Simply introduce some deliberate
delay when you serve out the images.  That way you'll avoid any
false positives that might result from a super-fast response from
your server.

But I was just trying to explain what the authors were getting
at and what they meant when they said "cache cookie".  A lot
of people didn't seem to see how this could be used to store
information surreptitiously.  I agree it's pretty academic.

Later,

=====
Wham! <wham_bang () yahoo com>




__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/