Wildcard DNS, Session Management And Prior Art

Alowishus asks: "A company called sevenval has an interesting, but obvious, use of Wildcard A-Records in the DNS to encode Web session management IDs in the hostname of the site. Interesting, because if you are using relative URLs on your site, you do not need to do anything (i.e. setting a cookie or appending GET parameters) after the initial redirect to maintain a user session. See www.fahrschulportal.de for an example. Sevenval is applying for a patent on this technique, and Kristian Kohntopp, the author of a PHP session management library, is looking for prior art. He would like to find uses of hostnames that encode state or session information. Has anyone seen this before? It's an exceptionally useful technique, and I'd hate to see its use restricted by another improper software patent. "

Re:No use for secure systems.

You don't actually need to encrypt the names/querries, you can just authneticate them by appending a cryptographic checksum (for which only the web server knows the key). This allows the web server to make sure that a user hasn't edited anything. The server could also include the user's IP address in the name to make it more difficult for me to copy your bookmarks and thereby impersonate you. All of this unfortunately makes names longer.

What about . . .

U.S. Patent No 5,961,601 filed June 7, 1996 and issued to IBM on Oct 5, 1999. It has a lengthy discussion of server side processing to dynamically rewrite URL's to incorporate state information.

Check the patents of InterVU, Inc.

I know for a fact that InterVU (now merging with Akamai) has patents on doing a *very* similar function with Web links ("Smart Link Technology"), and *may* have extended this concept to host naming.

(How do I know? I did some contracting for them while they were still in their pre-IPO garage startup phase, before they became a billion dollar property. Sure wish I had more stock...)

- BobC
rcunning@acm.org

Someone E-mail the owner of the site

Yes it wont work in NS 4.7 or mozillabut it works fine in NS 3.0 here ... Someone should e-mail the owner of the site about the patent

Re:Calculator in the URL

i'm using NS4.7... This isn't working for me. Any tips?

I'm using Netscape 4.61, and it works fine for me. Maybe you should downgrade.

Re:On a related abuse of DNS...

Dammit! You made me break the law! Now my nameserver has cached it... geez...

You will hear from my lawyers

:)

Re:IM SO SICK OF PEOPLE COMPLAINING

yay! someone who has actually thought/does know about the area they are talking about. That most slashdot contributors on patents have little to no knowledge of the area simply indicates their arrogance. Just because you are a tech does not mean you know the law.

btw- would this person have developed this if they couldn't patent it? Or would they wait a couple of weeks for you to work your ass off and then take it? What if all the world waited for somebody else to do it, cause it would be cheaper to borrow than to make?

I've got a better idea... use wildcard PTRs!

$ORIGIN in-addr.arpa. * IN PTR www.slashdot.com. See you after the next root server reload! :)

It's a good and novel idea

So what if other people were doing stuff with DNS.

Good ideas are usually "obvious" after you see them.

By using wildcard DNS there really isn't much, if any, performance impact.

Technically it's a good way to maintain sessions even when hitting static pages. It's not much uglier than using session IDs in URLs.

HOWEVER, it may confuse people a bit when they're trying to figure out what to type to go to the website.

Trouble is, it sure makes adding new (and different) sites to a nice domain a tad harder ;).

Verdict:
I think it's a novel idea. Putting together old stuff in new ways can be patentable.

The real trouble with software patents and copyrights is that the durations are too long. 10+ years for software patents is too long. 50 years for software copyright is WAY too long.

Copyrights and patents are supposed to achieve a balance between rewarding the inventor and passing the benefits to the public. I'm sure you'll agree that nowadays if you don't make money from the software in 5-10 years, you don't deserve to :).

Cheerio,
Link.

How about all the easy.to and come.to sites?

Although not using it for session tracking, we are using it for user tracking. For example, http://ian.i.am is my baby's personal page, and although it is not tracking the session it is tracking the user through the use of HTTP Header's and a wildcard IN A record. Linux - The most effective Service Pack for NT

DNS entries for instant messager state

Around November 1998(?), there was a rather lengthy (albeit caffeinated) discussion on Slashnet #slashdot (later on #gnucq) about using DNS entries to store user data for a quick, crude instant messaging system. Does anyone have logs of this?

-XeF4 unable to retrieve password until the DNS entry for epilogue.org refreshes

Re:Not quite the same (This is)

This is EXACTLY the same and has been around since early 1998.

http://download.allaire.com

Re:Clown lectures Slashdot over Prior Art...

> All of you tech clowns say the same thing...
> Has anyone actually done this before? Not.

I'm sick of all you non-tech clowns who don't even bother to read the discussion before making fun of tech clowns. Yeah. There is prior art. So there.

Re:Possible candidate

Well seems to me that they have a gross bug in their script. Try:

http://anything.that.really.fucking.sucks.really .fuckingsucks.net/

Propably their perlre uses .*? instead of .* ...

Zork in DNS...

Anyone know where to find that old, incomplete implementation of Zork through DNS?

I'm not joking. It existed. I can't find it now... sigh...

unpoison

ok, I am the guy who wrote the unpoison.pl and the webpage.

as a cheap plug I want to reply to lots of the requests about the implementation by refering to my site (http://www.lemuria.org/Software/unpoison) since it shows how this can be done in around 9 lines of code.

I do agree that I'm a bit paranoid. I was trying to list all the points AGAINST Location Poisoning, since 7val themselves do a good job at listing the pros. :)

one of the main reasons I reject the patent application is that this is a TRIVIAL patent. much like the 1-click-shopping. I figured out the 9 lines required to implement it ON THE TRAIN with nothing but a sheet of paper, and it took me about 10 minutes. and I have not had any access to their software.
this is not an innovation, it is a standard IT procedure - given a goal, find a way to do it.

thanks to the guy who mentioned junkbuster. I'll talk to them immediatly.

Prior Art (identifier in domain name)

Do a search for @temp****.myriad.ml.org. There was a guy encoding an identifier in the domain name of e-mail addresses as a way to catch spammers. All the domains pointed back to the same host, but each spammer got their own cookie, so he could see who was collecting addresses.

This was about three years ago; ml.org is gone now of course.

hey cliff

try using AOL before you post. i know it's not a nerd way, but TRY ONCE BEFORE YOU POST!

Re:New Patent law

Oh yeah, isn't that a fucking great idea. I can just imagine them sitting around at major companies going "Ooh, we'd better post our new patent idea on Slashdot, because it is such an informed site filled with people who have a clue and who would happily assist us in obtaining this patent." Although you probably haven't left your bedroom in several years (and are probably not able) there is a world apart from /. you know, where people work and go out with friends.

P.S. You should probably stop masturbating.

privacy violation and laws

two things that haven't been mentioned so far:

the whole Location Poisoning scheme is a mighty tracking system. since your ID stays the same among various sites, they can cooperate and pool the data you entered. your address here, your buying habbits there, a questionaire over there and the words you entered in that search engine - doubleclick was nothing, they only got the sites you visited.

7val claims that they'll require customers to sign a contract that they won't do that. which to me has the base purpose of removing *7val* from responsibility. this SCREAMS abuse. I bet it will be used for profiling as described above.

now since (2nd thing not mentioned) 7val is in germany and applying for european patent, the EUROPEAN patent law applies, NOT the US which has been quoted here.
in european patent law, patents can be refused if they are overtly abusive. for example, you couldn't patent something if it's only use is illegal.
since Location Poisoning begs to be abused, and the "advantage" of following visitors even when they leave your site is one of its strong marketing points, I do believe a point can be made for the patent to be abusive in nature.

Re:This will screw up filter software.

Is all this looking at porn sites directly correlated to your sore hands? I think it is.

No use for secure systems.

This technique has a fatal flaw. It cannot be used for any secure transaction to identitfy the customer. That's because DNS queries are not encrypted! Other than that it is kind of neat but I am sure that ways can be found to do slight modifications of it that aren't patentable.

clever, or not?

Even though I must admit that this appears to be a clever scheme, after a few minutes of casual thought, several glaring problems emerge:

• Breaks bookmarks, or better yet I can't easily remember URLs buried in a site. Users won't put up with a site that uses this.
• No persistence. So what if you can track me anonymously through a browser session. If I restart my browser, visit the site again, I am given a new hostname, since the server simply sees me as a new visitor.

I won't reiterate the issues with caching, spiders, images, performance, etc. etc. since those have already been hashed over plenty well here.

Most websites today want to personalize and customize the user experience, and make it sticky. Keeping that in mind, this technology does nothing to solve that issue. Unfortunately, the only way to do this effectively is through persistent cookies.

Given these points, I would think that there may not be too many customers in search of this product. The only people I can think of who may want this are sites that experience, and wish to promote heavy anonymous visitor traffic, and who feel that the use of non-comprehensible URLs won't scare away customers.

Re:This will screw up filter software.

You seemed obsessed with sorehands and porn sites. Why is that?

Re:Looking at the arguments

Actually, proxy servers are not very effective with any form of dynamic content. The DNS argument holds some weight.

As for bookmarks, it's a huge problem. If I can't get back to something I was looking for, I'll probably just give up and shop elsewhere. (www.sun.com had this problem for a while. Ugh.)

Re:Improper?

I have to admit, if noone can find some relevant prior art on this, I think it definitely is not an improper patent. Think about how much work has been done on session tracking so far, a TON. Books cover it extensivelty, and if this turns out to be a seriously new way of doing it, I don't think we should fight this. Any you know why? If there is no prior art and we fight this, it's just a case of "aww, that's cool, i wanna use it too!", and it cheapens and weakens the fight against Amazon and other genuinely improper patents. That's the simple fact. If we want companies to respect our views on patents, there's no use going crazy against every single web patent. That just shows that we don't respect the patent system at ALL (and i'm sure some people don't), and will just make them go "know what? fuck it. who cares about them then, we have nothing to gain from them, they won't even leave us alone on GOOD patents.".

Prior Art

I'll just throw this out here. How is this any different from CDE session management? Or for that matter any X session?

Re:Improper?

Just because it's obvious doesn't mean someone will use it. As previous posters has pointed out, location poisoning isn't a very smart idea afterall. The drawbacks outweights the benfits.

Re:Prior Art...

[mkaminer]

IM SO SICK OF PEOPLE COMPLAINING All of you tech clowns say the same thing. Oh its not obvious, oh its so easy. You are all using HINDSIGHT to do this. Of couse it is obvious, once you see how to do it. But YOU didnt come up with it yourself. THATS why the OTHER person gets the patent And another thing, how does everyone know about this patent if it has not been issued? Stop your bitching and start inventing. Think about it: 1. The invention must be NOVEL. (35 USC Sec. 102) Has anyone actually done this before? Not. Oh, I saw that once in X-windows (thats not the same thing) It doesnt seem so. 2. The invention must be USEFUL. (35 USC Sec. 101) Anything is useful. It doesnt have to be useful to you. but useful to SOMEONE 3. The invention must be NONOBVIOUS (35 USC Sec. 103) This means THAT: it would not HAVE BEEN obvious to one of ordinary skill in the art. Notice the HAVE BEEN. That means, at the time the patent was filed. not using YOUR HINDSIGHT. SO,if there is a reference that discloses this, then produce it. Otherwise, you are using your own hidnsight to make flighty comments. GEEZ!

Re:unpoison --- What about the search engines?

I'm wondering how the search engines treat this. Will they traverse the pages even though they have a different hostname? And if so, each page could be spidered across an infinite number of times, making a really bad recursive puzzle for a spider. (Either a lot of pages will be double cached, or a lot of pages will be missed because it gives up, or both.)

Is this a search engine advantage or disadvantage?

BTW... I do like the idea of wildcard DNS hostnames, oddly enough. If there is no prior art, hats off to this guy.

Good thing

It might be a good thing if thei really got their patent. Then other sites could not just use this technique and our caches will be kept clean.

Re:Good thing

[innocent_white_lamb]

It might be a good thing if thei really got their patent. Then other sites could not just use this technique and our caches will be kept clean.------ This is actually a good point. The Internet, as we all know, operates on open standards. So when some "helpful" person manages to get a patent on something the most sensible (imho) way to deal with it is to just pat him on the head and say, "That's nice, run along now" and then proceed to (continue to) do things using open standards. If the existing standards aren't doing the job or aren't sufficiently open, then invent new ones that meet the needs of the moment. The URL structure wasn't handed down by Moses on stone tablets, and it's not a tradition that's been handed down from anyone's great-great-grandfather who immigrated from Hungary in 1857. When it comes to computers it seems there are a million-and-one ways to skin any particular cat. The perceived "problem" with patenting computer algorthms and so on will be self-correcting over the longer term simply because those doing the patenting will discover that nobody will care. "You patented X? Ok, we'll just use Y, so go sit in your corner and play with X all by yourself. Bye now." See?

Now aren't session vars in URLs prior art?

The usual session tracking does exactly the same: include a session identifier anywhere in the URL. Is it really a new idea just because 7val includes the session identifier at the beginning of the URL?

I think not! The fact that you have to use a wildcard DNS entry and some scripts to rediscover the session identifier in this part of the URL doesn't make it patentable, IMHO.

Just compare:
http://12345.myhost.com/blah.htm
http://www.myhost.com/12345/blah.htm
http://www.myhost.com/blah.htm?s=12345
http://www.myhost.com/blah.cgi/12345

I don't see the big difference...

Re:Now aren't session vars in URLs prior art?

[Tom]

there actually is a difference.

the last two require that you change your links. the second might be accomplished with some nifty rewriting and might work very much like the first (7val) without the DNS trouble. it'll still break caching.

Re:Now aren't session vars in URLs prior art?

[kvoigt]

Of course you forgot one other method:

http://www.myshop.com:625/some/file.html

I wouldn't be too surprised if someone would get a patent on this _unguessable_ way to store a session identifier into the URL.

It is indeed very much the same to fetch the session id from the URL, regardingless where it's located. And making a redirect to such an URL in case no session id is present, is also no rocket science. All this will be less than 10 lines of code.

The DNS method combines two advantages: You don't need to produce relative links, and you don't have to rely on cookies.

But I don't think that it's worth a patent, it's really obvious. And if anything that is not too complicated would be patented, we would need even more lawyers than we already have.

I hereby claim the patent on putting beer into the fridge.

Kai

Re:unpoison (not depoison)

this is Tom, so let's try to clarify some of my points: in general, yes I am picky about standards and abusing things. I'm not a friend of inventing your own stuff on top of standards, and while netscape's HTML add-on aren't that bad, don't forget about stuff like layers (anyone using them?) or M$'s marquee tag. states on HTTP: there is a fundamental difference between cookies and Location Poisoning. cookies reside on my machine and get served through my webbrowser - they are under MY control (it doesn't count that the user might be too stupid to use that control). cookies also get actively read on the server - some cgi, PHP3 or whatever must evaluate them, so the programmer IS ALSO in control. Location Poisoning removes control from both programmer and customer. which means that neither has the option to DISABLE it.

Amazon.com has been doing cookie tasks w/o cookies

As soon as you go to amazon.com, you're redirected to a URL with a unique cookie ebmedded in that URL (why muck with DNS?). This lets amazon keep track of stuff in your cart ***WITHOUT*** requiring cookies to be enabled. Other sites cannot fetch these "quasi-cookies" back since they no longer exist once you leave amazon (save maybe the 1st site from the referer URL, but not the 2nd, 3rd, nth sites down the line). IMO, this is the RIGHT way to do things that has traditionally required cookies (the minimalist solutions are beautiful). WHY CAN'T OTHER WEB STORES DO THIS including fatbrain (revered on slashdot), dvdexpress, etc. I HATE COOKIES. And I have not shopped at web sites that require them unless they're waaay cheaper than amazon (Hint, hint, retailers). There is really very little that absolutely requires cookies to accomplish, and with the potential for tracking abuses and use for evil, they are best left disabled. And the amazon style cookies can even be bookmarked thus saving data between visits on *their* side of the connection. Name me one useful thing that can't be done without cookies.

what i want...

[Wakko+Warner]

is DEADBEEF.ipt.aol.com.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Other ways to accomplish the same thing...

[i,+Mac]

Personally, I think the unpoison guy is a little paranoid. He does make some valid points about DNS issues and non-cacheability, however; I tested this exact same idea about a year ago (3453453454.suchandsuch.com) and probably a bunch of other people did too, but abandoned it for various reasons, including those above.

There are ways to do this using mod_rewrite, and they're probably better for ya in the long run.

I don't think it's unique enough an idea to support a patent, especially considering the way in which it is implemented: a wildcard DNS. _That_ has a lot of prior art.

Re:Other ways to accomplish the same thing...

[Logic]

> He does make some valid points about DNS issues and non-cacheability

Actually, intelligent site design gets around the cachability aspect; simply refer all your images (or other multimedia content, such as audio or video) to the master host by explicit URL references. Or, better yet, send all "large data" requests to a separate hostname entirely, which you could then optionally build out as a distributed file-serving cluster to handle increasing demand over time.

Prior Art (was: Calculator in the URL)

[bodin]

Hithere!

This is really OLD stuff.
I put the calculator in the URL up along with rfc-in-a-url, clock-in-a-URL, and my calculator-in-a-URL up in 1998!

• http://rfc.x42.com/
• http://clock.x42.com/
• http://x42.com/urlcalc/

DYNAMIC URL:S ARE AS OLD AS SLICED BREAD.
A patent of this would be as silly as trying to patent dynamic content in the webpages or decimal URL:s (http://195.3565592/). My site is more than 1 year of prior art.

/Magnus Bodin - owner of x42.com, calculator-in-a-URL, etc.
http://x42.com/

Re:Calculator in the URL

[bodin]

It works in any netscape browser 2.04+

BUT: Some proxies, firewalls etc block WIERD chars in urls, like $, and paretheses.

/magnus

Re:This is real nit-picking, but...

[osu-neko]

Patent laws need to be fixed, but that doesn't mean all patents are bad.

But all patents are bad! Copyrights protect specific expressions of an idea, and that's a good thing. Patents protect an idea itself, and this takes the idea of intellectual property way too far. Nobody should own an idea, at best you should own your expression of it. I do not believe there is such thing as a proper use of patent law -- the idea is flawed to begin with. Software patents are not a special case, requiring patent law to be fixed. They simply make more glaringly obvious the flaws that have always existed in patent law. It's a bad idea from the start. It shouldn't be fixed, it should be dropped...

--

My creations...

[Penguin]

This may not entirely be in the same cathegory, but just to show some usage of *.domain.tld:

Inspired by a "useless trick of the year"-page, which gave the possibiliy of making matemathical calculations only using the hostname, I got inspired for about a year ago to make my own utilities.

My domain is trc.dk (a danish roleplaying club; nevermind that :-) - and I've made the following possibilities, using a *.trc.dk-record, and some PHP to react on the HTTP_HOST-env-variable:

http://something.a.trc.dk/
Perform a search for "something" in AltaVista

http://something.b.trc.dk/
Perform a search for "something" in AltaVista (text-only)

http://something.g.trc.dk/
Perform a search for "something" in Google

http://something.l.trc.dk/
Perform a search for "something" in Google, using the "I Feel Lucky-feature"

http://something.i.trc.dk/
Perform a search for a movie named "something" in IMDb (Internet Movie Database)

http://something.j.trc.dk/
Perform a search for "something" in Jubii (danish search-engine)

http://someone.k.trc.dk/
Perform a lookup for the name "someone" in a edition of the danish "White Pages"

http://slashdot.org.s.trc.dk/
Perform a check of what webserver, "slashdot.org" is running.

http://slashdot.org.q.trc.dk/
Perform a HTTP-query for "slashdot.org"

These "tools" have been a great aid, and saved a lot of time. There really isn't any reason first going to the Altavista/Google/IMDb-frontpage, just to submit some data. Then rather go to the result-page.

Oh yeah, I like bookmarklets too :-)

STEEM did something like this awhile ago...

[gid]

We did something like this for Developbusiness.com. So you can type in http://slashdot.developbusiness.com and get redirected to an intranet of the company "slashdot". I wrote some code that would tear apart the url that the client said it was comming from, and set a cookie of the company name "slashdot" on the browser, and do a header redirect, point the client to the real url "http://developbusiness.com". I thought it was pretty ingenious myself at the time, since you only stay at the fake url for a bit, you don't encounter many "Location poisoning" Since then, we have heard of intranets.com doing a similiar thing, although I never really researched much what they were doing, since I was only a programmer, not someone bent on stealing technology of the competition... :) Unfortunately due to situations way beyond my control, developbusiness.com was shut down by the owners. (they just contracted us out to design and program the site) Oh well things like that happen, and I worked my ass off on that site too, along with only one other programmer and one designer.

I think you can still take a look at a demo copy of it in our portfolio. Located on http://STEEM.COM. Check out... it's a beautiful page that unfortunately I had nothing to do with designing. :)

---

When it comes to patents....

[unitron]

When it comes to patents, someone's always getting knifed in the back or forked over.

Re:IM SO SICK OF PEOPLE COMPLAINING

[pen]

This seems to bring up another interesting point. Although we should be upset that a patent is being filed for this obvious yet stupid idea, we shouldn't make such a big deal out of this particular thing because the idea itself is stupid! C'mon now, how many serious sites out there would actually use such a thing? And how many non-serious sites out there actually have their own DNS server?

--

Re:Amazon.com has been doing cookie tasks w/o cook

[pen]

Sorry to turn this into an ASP vs. Java thing, but it is sort of on topic, right?

Sites that run on NT and ASP can't do this simply because ASP's built-in session management requires that cookies be enabled. If they aren't, it will just stick you inside of a redirecting loop. The redirecting loop is easily fixed with a "please enable cookies" message. Anything beyond that... well...

Naturally, there are ways around this, but they require elaborate hacks, generating every link on your page yourself, and so on. In other words, rewriting the session management on your own. You cannot manually retrieve or switch sessions.

Java, on the other hand, allows you to create a session object by just knowing the session ID. It also has automatic URL rewriting, that can be always, never, or no-cookies-only enabled. And you also have full control over this, so you can tweak it as needed.

I definitely agree with you about the cookie-only sites. I understand that there are many good uses for cookies, but I like to choose whether I want the site to store cookies on my computer, not the other way around. I just run a proxy that blocks all cookies on all sites except for the ones I specify. If a site requires cookies to browse, I usually leave and don't come back.

--

Re:DNS record..

[ruud]

The DNS records you posted map _any_ host onto the address 195.122.187.3, using the * wildcard DNS record, whether or not the hostname was generated by their server. It's actually quite trivial to set up a CGI/PHP/ASP/whatever script to redirect you to a randomly generated hostname
--

Re:Useless for SSL

[mindlace23]

Umm... for $500 you can get a certificate from Thawte that is *.yourname.dom, which would work fine. Or, you can be your own CA and do the same.

Re:It's been called "URL Poisoning"

[lar3ry]

[sigh] I KNEW I should have previewed first!

There's a web site http://www.lemuria.org/Software/unpoison that calls this technique "URL Poisoning" and mentions that this could be considered a Bad Thing, because using this technique, people cannot easily "opt out" from being profiled, as you can by, say, disabling cookies in your browser.

Refer to the above link for an explanation of URL Poisoning, and for a pointer to a Squid redirector plugin that can be used to disable URL poisoning.

I personally don't have any opinion on this; I can see how it can be used, as well as how it could be abused. [shrug]
--

Check with Dave Winer at userland.com

[funkman]

They have a product called Manila which is a Web authoring tool. I don't know much about it, but you can set up your ????.registereddomain.com using the software to create a new web site. While it is not the same as what this situation is, there may be enough prior art involved to not allow this patent.

An example of this product in practice is at: http://www.editthispage.com/

I have email an describing ....

[Citrix]

I have email an describing GoTo.com's ability to encode the serch terms in the wildcard part of the domainname. eg: http://linux.docs.goto.com/ or http://gnu.goto.com/ My email is dated 2/17/99 and they must have had that feature sometime before then.

IANAL but I think this could be considered very similar and Goto.com has a bunch of money (I think) and maybe if they were made aware they would want to fight it.

I'd be happy to provide my email but I doubt a dated email from someone's sent folder is proof of prior art in the laws eye.

Citrix

Prior Art

[atrox]

http://www2.merton.ox.ac.uk/~security/bugtraq-1998 04/0085.html

There is a Bugtraq posting in 1998 where Oskar Pearson describes a way of tunneling through a Firewall ** by encoding data into DNS-Names ** (and Replies).

I think this could be considerd as a "superset" of the sevenval.de idea.

bye..adrian

I did this in 1996

[Skapare]

I did this in 1996 when I was building a shopping cart for collecting tax forms. It didn't work very well because it messed up DNS, foobarred my test proxy server, and confused the firewall. I wish I had some evidence of the prior art, but it was actually a stupid idea and would have prevented my site from achieving the performance levels it did, so I did the thing that seemed right at the time and abandoned it.

*.sevenval.com Fun with location posioning

[kyhwana]

Hmm, this isn't very useful, but amusing for the first few minutes.
You can change the characters in that semingly random bunch of chars that they use, such as
http://X199DAASOFTWARE84PATENTS71CBLOW3E.sevenva l.com/
*grins*
As long as it remains the same length, you can replace mostly of the garbage with words..
Enjoy.

Re:unpoison (not depoison)

[MS]

I agree with RMGiroux:

• dynamic content doesn't get cached by proxies, but images present in dynamic pages get very well cached. With location poisoning, this caching is not possible. So caching matters!
• HTTP and DNS are protocols, while HTML is a language. There are standards and standards.
• Abusing of the DNS protocol is like using the <B>-tag to do italics (it can be done with style-sheets), while adding a new <BLINK>-tag is in no way an abuse of standards (BLINK was not defined previously for other purposes).

Oh, you're using your mouse with your toes... now I understand the whole 'feel free to flame'. I didn't see this post marked as 'funny'. Hey, moderators, moderate this as funny!

Re:Possible candidate

[nyet]

ok better now.

Re:Calculator in the URL

[HugoRune]

http://x42.com/urlcalc/

Re:Useless for SSL

[anirvan]

The SSL site cert problem is real, but to play devil's advocate, it's easy enough to forward the user back to the main domain when it comes time for the secure transaction, as this is the way most third-party small business ecommerce providers work (e.g. have the user browse your-id-here.domain.com, but have the billing done on sales.domain.com).

(But if you do this, then you still end up needing to use some traditional state mechanisms to pass around on the billing server. Oh well.)

Re:unpoison (not depoison)

[spodpit]

> So what if I use this for dynamic content? In that case, caching doesn't matter anyway.

Speeching as a cache admin for a large(ish) ISP, most dynamic content isn't *that* dynamic. Even if the page has user specific entries on it, the images are probably cachable - think slashdot, I (probably) have my preferences on what slashboxs I get set as different from yours, however the icons for story sections can (and should) be cached as those won't be dynamic.

As for the 404 error for footfetish.com, well if you haven't paid then you're not going to get access - so permission denied is kind of appropriate ...

Re:Useless for SSL

[Anthony+Kilna]

Thawte's search function is down right now, but i distinctly remember reading in one of their docs about several web client/server combinations that had problems handling wildcard certificates. And no e-commerce vendor wants to limit their audience.

lbnamed users: You done this?

[SEWilco]

It is possible that users of lbnamed, the Perl DNS server, have done things like this for assorted reasons. Particularly as it's a little easier to modify lbnamed to do odd pattern things than it is to modify bind. I know that I considered this same DNS poisoning technology a year ago (as an SSL obfuscated verification trick...a hidden tripwire) but didn't need it yet.

lbnamed: parameters via DNS

[SEWilco]

In the LISA '95 lbnamed presentation there is an example of using DNS to pass parameters to a program.

See where "random.stanford.edu" is shown, where "100.random.stanford.edu" will return a TXT entry with a random number in a 100-number range, and "10.random.stanford.edu" will use only a 10-number range. There's also a "passwd.ns.stanford.edu" example which mentions a database.

This example is not attached to HTML, but it does show that the concept of using DNS to give information to a server was published in 1995.

Re:Is this really groundbreakingly useful?

[jonathanclark]

This would lead to extremely user-unfriendly domain names

agreed, but no more than session tracking done through URLS like this :
"http://slashdot.org/comments.pl?sid=00/03/05/23 45247&op=Reply&threshold=3&commentsort=3&m ode=thread&pid=50"

and surely it would really bugger up users trying to bookmark the site (stale sessions could stay in bookmarks for a LONG time).

No. If the session id expires then just assign them a new one on reconnect and if they try to access any previous session information let them know it has expired. Same as it works now. But it works if people have cookies turned off.

Personally I think it's a great idea. If it was obvious, how come no one used it before? This falls into the area I would think is patentable.

Opting out

[akey]

he bad thing about how this company does it is you have no way to shut it off. With cookies, you do. That makes me sad.

I suspect that it shouldn't be too hard to add the ability to "unpoison" URLs to the Internet JunkBuster. The author of Unpoison himself suggests that it should be rewritten in C or some other non-interpreted language for performance reasons.

Re:Improper?

[Znork]

It is exceedingly obvious. The reason we arent using this sort of technology in our web browsers is it _stinks_, for various reasons mentioned.

Re:aka "Location Poisoning", not good

[PapaZit]

This is such a bad tecnology that only the really clueless will buy it.

And yet, Microsoft thrives.

Flamebait aside, companies have nothing to lose by implementing this. The customers and people who connect to them are screwed, but for many companies, the extra information gleaned about customers may be a worthwhile exchange for the extra technical hassle.

Ah, so that's how they get the netcraft figures!

[IIH]

Patent application:
Title: Use of wildcard DNS records to generate high server usage charts

Description:
for i = 1 to 100,000,000,000
launch_netcraft_test(www$i.myserver.com)
next

Desired result:
next month's news...
"Server X showed a 98% increase in usage in web sites globally, driven mostly by a large number of new sites in the myserver.com domain."

--

OT: speaking of prior art

[slickwillie]

Does anyone here know of prior art in the use of Ethernet frame pacing? Someone is trying to patent that technique, but it seems pretty obvious also. I seem to recall that Cisco routers have a setting for Ethernet pacing.

caching of all that

[egor+duda]

i dont't think this technique is so much useful, at least for site visitors. dynamic generation of hostnames (if used blindly) will drag your TCP_HIT rate hell down. i believe that even load-balancing via www?.domain.com is a bad idea, and much better way to handle it is multiple ip's assigned to single fqdn.

Re:Calculator in the URL

[mystik]

i'd love to, but I can't get to their help pages- their using that urlcalc stuff.

Example of Prior art

[mystik]

DNS is several many years old (at least by internet age) This has been available to anyone who's wanted to use it. Obviously the creator of the DNS spec thought of a similar situation. What these people are doing, in my opinion is discovering that you can "fix" a computer with a hammer, and patenting that.

Re:Calculator in the URL

[mystik]

i'm using NS4.7... This isn't working for me. Any tips?

Re:Looking at the arguments

[MadAhab]

While you can reduce the overall poisioning of the net that this technique causes by serving images from a non-poisoned host, the fact is that if I run a large proxy server, and a lot of people visit sites using this technique, that site is going to cost me a huge amount of money in forced hardware upgrades, because every session is taking up a host space in my proxy cache. Plus, there's the extra DNS traffic, which isn't much, but overall, location poisoning SUCKS

Personally, I would set up all proxies to deny a site using this technique.

Maybe, it's obvious, maybe it isn't, but Sevenval SUCKS!!!. If there's one thing that the recent Doubleclick nonsense shows, it's that the general public will only stand for getting the shaft on privacy issues for so long. And the location poisoning technique is too obvious, so people will raise a stink.

It's one thing to patent a sucky technique, but since the technique sucks too much to have real commercial value, you can just let this thing die on it's own, sucking for air.

Bottle caps

[slashdot-me]

It's sort of like patenting the use of teeth to open beers. Everyone's thought of it but nobody actually does it for obvious reasons.

Re:Possible candidate

[Hobbex]

And that site also contains the true reason why they shouldn't get this patent...

-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

Re:Other DNS abuse by sevenval

[Tuck]

RFC1034 suggests labels of the form:

&lt label&gt ::= &lt letter&gt [ [ &lt ldh-str&gt ] &lt let-dig&gt ]

ie a name starting with a letter. This is to prevent problems with older software (eg MTA's). It's not a hard requirement.

There's also some "prior art" e.g. 3com.com.

Re:On a related abuse of DNS...

[Tuck]

Chuckle.

You'll probably find your browser ate a couple of angle brackets in the perl statement. It should read:

perl -e 'while(&lt&gt){print pack("H32",$_)}'

Prior Art...

[thogard]

Check out the CERN server notes/newsgroups/docs back in last quarter of 1993.

Before some of us started hacking the server there was no context but the ip numbers. If I remember right it took a seperate server per ip number and at that time that did mean a seperate interface.

Talk to the people who did the early virtual IP addresses as this was discussesed.

Too bad deja* isn't that old. (why does it have all my '95 postings but not all the '96 or current postings? and aparently broken html on the new(TM) power search)

Re:Neat, but different

[EasyTarget]

I doubt if thi is prior art, since it does not track you during your session.

So it's neat, but only for geeks. Whereas the patent app. is neat, but only for 'expletive-deleted' marketeers.



EZ
-'Press Ctrl-Alt-Del to log in..'

totally been done before

[zzzeek]

Heres two domain names that point to the same IP #, and based on the domain name it shows a different company logo and text:

http://www.adtechuniversity.com/
http://www.presentationstore.com/

and im going to be doing something for my current job in the same manner soon.

Re:This is real nit-picking, but...

[drivers]

By your logic, slashdot should change the Microsoft icon too. If you want unbiased, go to... oh wait, no one is unbiased. Oh well. :)

Re:Improper?

[CentrX]

Wildcard DNS matching is a very obvious thing. It's the method of doing so that's not obvious. Because we're not all using this sort of technology in our web browsers does not make wildcard DNS matching obvious, it makes a method of wildcard DNS matching obvious. Clarification.

Chris Hagar

Wrong idea!

[TheTomcat]

People, people.

I think most of us are misunderstanding exactly WHAT they're trying to patent. This is NOT about using wildcard DNS. This has been around for years. I remember having a *.spatula.ml.org go through an index.cgi that parsed the headers to figure out what * was, then redirect the browser to the proper URL, this was before I knew that most webservers already have this built in as session management.

The idea is tracking a user session through the HOSTNAME part of the URL, not through the CGI parameter part (everything after the ?).

The url calculator, *.really.fuckingsucks.com, and even my cgi redirector are NOT forms of session management. They just use the host as a variable.

Re:DNS record..

[TheTomcat]

It's actually a pretty simple concept. Why didn't _I_ think of it? (-:

Instead of implementing sessions in the DNS, what they're really doing is accepting a wildcard.

For instance, if I were to run a site at example.com, I could start my splash page at www.example.com, then when a user gets there, redirect them to a1231376213.example.com, because *.example.com point at the same IP.

Now, instead of remembering to append "&urltoken=a1231376213" to every form and link on my site, I can get check the http headers to see what domain the user is requesting, and determine that their session number is a1231376213 based on that.

Browsers automagiacally keep the same host name accross http requests unless told not to (by using an absolute URL).

I hope someone finds prior art. I want to use this. (-:

DNS-tunneling papers I wrote

[duckskip]

Last semester I wrote a couple of concept papers about DNS tunneling for an independant research course. At the time I didn't know about the 1998 CERT advisory, and when I went to go dl the code to see what it did, the link was gone 8-( here are the papers: http://www.cs.utexas.edu/users/duckskip/DNS.htm http://www.cs.utexas.edu/users/duckskip/dns-final- report.htm They were meant more as thought provoking and are thus a little light on details, but should make some of the people out there start thinking in that direction. Anyways, for those who want to read and give me comments on the papers, my email is skip@ikansas.com

Re:Let's all make stuff like this

[MarkKomus]

"but faking prior may be illegal though"

Not may, is illegal. You're talking about fraud here, and whether the patent is valid or not, what you are suggesting would still be fraud and could land you with lawsuits, fines, and even jailtime. There's better ways to fight a patent if you feel its injust.

Re:Unguessable hostnames & nslookup ?

[shakah]

> That hostname is long (a 128 bit value) and
> randomly generated, making it unguessable.

Wouldn't I be able to query your DNS for wildcard A-records via nslookup?

Re:This will screw up filter software.

[dalamar]

Um no... thats the point. they all get mapped to the same ip. me.somewhere.com is the same as you.somewhere.com, the system just uses the me and you to determine who we are.

Re:AOL doing this for years -- serious prior art

[wmono]

>AOL has been encoding session info into the DNS names given to its users' ip addresses for years.

There's information in AOL's dialup line IPs' hostnames, but it's just the IP address, not any kind of session information. Take ABD778BD.ipt.aol.com for example; 0xABD778BD is 2883025085 in decimal. That's 171.215.120.189, exactly the same as what reverse-resolving the hostname gives.

Re:Similar effect, different approach

[nahdude812]

you can't generate ASP on the fly? That doesn't sound as though your ASP parser is working correctly. It's a huge pain in the butt writing static files from an ASP page. If only there were a "write buffer to this file" function, or if you could even treat the buffer as a string, such as returning a partial buffer from a function. Alas, there isn't, to my knowledge.

I wrote a DLL that acts as the intermediate to the ASP parser. What it does is provide duplicates of all the DLL functions, and for the most part, simply re-call the ASP.DLL dll, except when a path is used containing a sessionID. Then it stripped that out, and fed in an appropriate session cookie to the ASP parser. More detailed I can't really get, it's one of those things my company paid me to do, and they might not like this much. Hope its of help.

Similar effect, different approach

[nahdude812]

I've done this sort of thing for my company, but in a different manner. In stead of the url being http://sessionid.wherever.xxx, it's http://www.wherever.xxx/sessionid This is useful because it doesn't do anything funky with DNS, allmost all links are relative, so the sessionID is preserved, and if I want a link to the root, but preserving the session, I just link to /sessionid. It's really not that difficult to write a little DLL that decodes the document by pulling out the sessionID, and sending the document to the ASP parser on my NT (stop booing, I know it's evil) box.

Re:Similar effect, different approach

[JackiePatti]

How do you send the document to the ASP parser directly?

A while back, I was trying to generate ASP dynamically, but never could figure out how to get the resulting string handed back to the ASP parser. I ended up writing the things to files instead, and "publishing" these files periodically, rather than able to generate the aSP on the fly as I wanted.

It almost sounds like you are doing what I wanted to do - how do you do it?

I've seen this on Usenet

[Florian+Weimer]

Well, almost.

Some people use wildcard MX records to track the use of their addresses.

Quite frankly, I don't see what's so hot about this idea. It's not very important whether the session ID is in the domain name or not. You can always hack your web server and tell it to discard the session ID when translating URLs to file system references or similar things. Browsers would keep sending the session ID to the server as long as you use relative links.

In addition, you don't know what's really contained in these session IDs, and DNS requests aren't encrypted even if you use SSL...

Finally, it's said that a noticable portion of Internet traffic is already DNS traffic, and this technology, if widely adopted, is likely to increase DNS traffic for no good reason.

Ever Heard of Round Robin?

[WebSerf]

A fairly obscure load balancing technique called round robin has been in use for some time. Basically, the DNS server sends each new user to a different web server in turn and then starts over when it runs out of servers. I know this only maps a class of users to a given web server while a session id maps a single user (we hope ;-) but I thought this might help dent the patent case.

Re:depoison

[SamBeckett]

It's call Unpoison..

I believe that site was foreign in nature if that means anything at all.... (maybe that site uses PHP3's feature??)

Basically, the site Unpoison is made for assigns a unique umpteen-bit hexademcial number to you (and stores it somewhere) that is appended to their site's URL-- then they set up a program that decodes this information automagically (and retrieves all of your data).

The bad thing about how this company does it is you have no way to shut it off. With cookies, you do. That makes me sad.

Anyways, the freshmeat URL here

The author's homepage and description of why he thinks it's a "bad thing." here.

And the company that he dislikes for using it. 7Val.

Re:depoison

[SamBeckett]

Actually, it is for the same company. Whoever posted that tricked all of us by saying "sevenval" insead of "7Val".

WE WERE FOOLED!

Isn't everything obvious on Slashdot?

[Steeltoe]

To me this is pretty obvious. Of course you gotta come up with the idea first, but that may come naturally after you have examined the problems with current CGI scripts. For simplicity though, I would still prefer to keep webserving (service to many sites for instance) and session-related stuff apart. Certainly such a solution should be standardized and made available to all, so that you avoid dirty and different hacks into every webserver around.

Not everyone has special privileges to their webhost, just one more reason to use CGI or standardize this thing. Why not just use cookies?

I think the most probable reason people haven't done this much before, is that they don't like to hack up their webserver, or maybe we're all just clueless. Whatever.

- Steeltoe

Couple of thoughts...

[martin-k]

First of all, this "invention" is not worth patenting. Couple of thoughts though ...

1. Persistent cookies are much more a privacy issue than this. If you return to a site, all pages you visit can read the cookie again, whereas under this DNS manipulation scheme you get a new unique ID the next time you visit.

2. This is for e-commerce, right? Surely you jest. This collides with SSL. SSL certificates are for specific servers, for example www.softmaker.de but not *.softmaker.de. YES, you can get a certificate for *.softmaker.de, but Thawte and Verisign tell you it's NOT a good idea. Some browsers give security warnings and IIRC IE4 doesn't even let you access the page.

3. 302/Temporarily moved. Yeah, right, that's a REAL BAD thing to do. However, after burning down 7val's house for it, the next candidate will be the author of the CGI.pm library for Perl because he's doing the same! If you are using the -uri parameter in a redirect, CGI.pm outputs a 302 page.

I know this because it's the only way to combine a cookie and a redirect on some web servers ...

-Martin

A Different Perspective

[brokenin2]

It seems to me that one could argue that this was one if the primary reasons for creating the DNS system in the first place. Making internet connections more manageable seems to me to be the point behind DNS. It's normally used to track session after session. Just because someone's using it to track single sessions instead of many doesn't seem like it's really anything new. I think that's why it seems like such an obvious solution too all of us.

Certainly using something for the purpose for which it was created isn't a patentable process, even if it is being done slightly differently than other places.

Re:Calculator in the URL

[gfoyle]

My proxy server (SQUID, of course) spits this back as a bad URL. When I connect directly, it works fine. This might be the trouble the person with Comm. 4.7 is having; wither it validates the URL or he is behind a proxy. But the site is cool for its uselessness.

Not quite the same

[kangasloth]

Yeah, it's in the url and you don't need to mess with static pages if you use relative links, but it doesn't use wildcard dns records. Which seems the largest part of their "innovation".

Images are not cached

[Ru610]

It seems to me that there is a caching problem with this method. Since the base URL might change a lot this will result in the client browser not caching images etc.. This will result in much unnecessary traffic.

Re:Images are not cached

[Kyler+Laird]

So...don't use it for images! (Sheesh! Talk about things being obvious...)

When it comes down to it

[Andrew+Cady]

...the laws of physics which govern *all* inventions have existed since the beginning of time, so the difference is always going to be a matter of scale, with no distinct line. The cotton gin was based on a bunch of basic laws of physics that nobody had used in that way before. Likewise with Wildcard DNS: it existed before, but it was never used for session management. And it's not as if /nothing/ was created: there still had to be an implementation behind the scenes (though I'm sure it was trivial).

But using technologies in combination to do what they were invented to do is not patentable, even if it's clever.

But DNS was never intended for session management.

I suppose it's moot. No amount of novelty is going to get me to support a patent anyway ;)

But obvious!?

[Andrew+Cady]

This is really a very clever hack. It's only obvious once you hear it. I'm against "intellectual property" in general, but I still recognize that this is a novel idea. I honestly can't see the patent being attacked on the basis that it is "obvious". (Though I can see it being attacked on other grounds: the very idea of patents is absurd, no research went into "inventing" this, someone must have done it already, and it obviously would not do all that much good for society if this were restricted). But it's still not "obvious".

Re:But obvious!?

[luckykaa]

"using a hard disk to store digitized telephone messages". I hear that and think, "give a patent to the hard disk guy, to the A/D guy, and to the telephone guy

I see your point. This is just an answering machine with a funny sort of tape recorder, but what if nobody had invented an answering machine before? Surely then it would have been a suitably new idea to patent, yet its still just 3 things stuck together.

Re:But obvious!?

[slashdot-me]

How do you know it's not obvious, Andrew Cady?

RYan

Re:But obvious!?

[MattMann]

what if nobody had invented an answering machine before? ...it's still just 3 things stuck together

The distinction I would draw is whether the 3 things stuck together are doing something new or not: the ball in the mouse is just a ball, but it's doing a very un-ball-like thing (ok, sometimes I drag'em across the desk, but... ha ha) So, is an answering machine patentable? maybe a little piece having to do with answering the phone with a switch, maybe some of the "algorithms" (mechanical or otherwise) for juggling the tape... but I would pretty much think that once tape recording is invented, it's obvious that it can tape phone calls.

I realize I'm talking about a fuzzy standard, but I'm just moving the fuzzy line that will always exist. Here's how I think of obviousness: I don't think the idea "phone answering machine" is patentable on it's own (and I think the patent office agrees). So, if you as an engineer are given the task "build phone answering machine" and you think "tape recorder" and anyone would think "tape recorder", well that's obvious. If I tell you "the UI has too many clicks to buy a book" and you show me how you'd do one click using cookies, it's hard to imagine that how you did it would be anything but obvious. The idea is not patentable.

This wildcard DNS seems more clever than one-click ordering, but really only because it's weirder. The feature was sitting there, and the multihosting webservers are just sitting there. Here's one for you: let's patent one-click ordering using wildcard DNS! You see, all the technologies exist but we'd be combining them in a novel way, using no cookies! We could even use it for an affiliate bookstore program!

There's some similarity between engineers piecing together parts to build things and lawyers building their cases. They don't allow patents on novel legal defenses. Unfortunately, they seem to hold sway over the rest of us and they are as a rule stupider than engineers and they don't give us the same protection for our toolboxes that they give themselves. Oh, IANAL.

Re:But obvious!?

[MattMann]

I share many of the sensibilities about intellectual property that you lay out, but I'm not sure if I draw the same conclusion. In the Amazon discussion someone pointed out the cotton gin as an example of "patentable, but obvious in retrospect". I see that, but it was an invention of something that didn't exist before. Think of the mouse pointing device: seems patentable: it has that "why didn't I think of this" feel of obviousness, but it is something that didn't exist before. And I don't mean that because it is a physical object. Compression or encryption algorithms: they are new things.

But this DNS trick, like Amazon and cookies and confirms, doesn't invent anything. The feature of the DNS they are using was invented by someone else. Cookies were invented by someone else. Am I rambling here? I'm just trying to explore the space. A few years ago, I heard about a patent that was something like "using a hard disk to store digitized telephone messages". I hear that and think, "give a patent to the hard disk guy, to the A/D guy, and to the telephone guy. But using technologies in combination to do what they were invented to do is not patentable, even if it's clever."

advantage?

[fforw]

Maybe i'm just stupid but I can't see any real advantage of this method to using ordinary search parameter (e.g. http://foo.com/?ICHBINEINESESSIONID) You run into the same length restrictions and into even more character-restrictions no use of Umlauts (e.g. %F4%EC) and such.

Re:advantage?

[Kyler+Laird]

Maintaining a query_string (as in your example) is non-trivial. I did it for an early "shopping basket" program. It worked nicely, but it took some effort. Some of the CGI modules modules available now make this easy.

Another route is to use URLs of the form http://somehost.com/ID1234/real/path/. This simplifies things a bit; you can at least use relative paths in your document. You're still hosed if you use an absolute path, though. That's what sticking the info in the host name solves.

By now, someone has probably already come up with the next step, right? What piece of the URL haven't we touched? No, not the protocol; that would be too limiting. The port number! Now you're going to have to have pretty complete control over the host, but you *could* use a port number for session/ID tracking. IP chains might even make this fairly simple. (I'm just starting to play with it.)

Now for some horrible kludges that you can play with on just about any server. These will typically break when a proxy server is used, but they're still fun.

Let's say that the host name is "goofygeeks.com". You'd normally use the URL "http://goofygeeks.com/" but note that you can add trailing dots to the hostname. So..."http://goofygeeks.com.../" will work just fine and you can pick it off of the HTTP headers. Sure, it's of limited use, but it might come in handy.

For more flexibility, treat the letters of the host name as binary digits with a lower case character being '0' and an upper case chacter being '1'. So...to encode decimal 5, you'd use "http://goofygeeks.CoM/". This is one time when being tacky and using a "www" prefix helps a bit. With "www.goofygeeks.com" you have 2^16=65536 combinations to use. (Add dots to the end to multiply that.)

Enjoy!

Re:if its obvious its not patentable

[thue]

Unobvious - like the patent for windowing! (determining the century a year belongs in by looking how close the year is to the current one)

Given a thousand years I wouldn't have thought of that myself

They obviously have low standards at the patent office ordinary skill; quite saying :)

if its obvious its not patentable

[idot]

In order to be patentable, an invention must pass four tests:

1. The invention must fall into one of the five "statutory classes" of things that are patentable: [snip] 2. The invention must be "useful". One aspect of the "utility" test is that the invention cannot be a mere theoretical phenomenon. 3. The invention must be "novel", that is, it must be something that no one did before. 4. The invention must be "unobvious" to "a person having ordinary skill in the art to which said subject matter pertains".

This requirement is the one on which many patentability disputes hinge. This is the question to discuss

This is a quote from a patent FAQ

prior art?

[aozilla]

Well, I don't know how well this correlates, and I have no way to prove it, but I used to have a redirection script which did a search on Yahoo, using keyword.searchyahoo.mydomain, and another one which did a yahoo stock lookup using TICKER.quote.mydomain. I guess that's not session info, but I haven't seen the actual patent filing so maybe they tried to go overbroad. I guess the biggest problem is I have absolutely no way to prove it as I only used it myself and then took it down.

one solution...err...workaround

[aozilla]

Open groups need to start getting patents on every possible thing they can, to avoid this. Just think, if an open group had patented wildcard A records, and given an unlimited license for use as long as you don't create a derivative patent, this could have been stopped.

Re:IM SO SICK OF PEOPLE COMPLAINING

[luckykaa]

I don't think you should be so angry about it.

Still, I agree. According to the origional article, its "interesting" (but apparently also obvious) and also "A very useful technique", which would suggest that somebody would have done it before if it was obvious.

On the other hand, I think a lot of things do get patented dispite being obvious. This can happen when the costs of doing something outweight the benefits , giving someone an unfair monopoly if the costs go down.

New Patent law

[www.sorehands.com]

What about requiring a post to slashdot to check for prior art on software patents?

This will screw up filter software.

[www.sorehands.com]

Encoding the session information into the host name will do a number on internet filter software that does look ups by IP.

Just think, the next porn site you are on, if it uses this method will have a different address for each session/user. I guess they will have to block by domain. And you thought blocking software couldn't cause more problems.

World outside of /.???

[www.sorehands.com]

Nah, I don't believe you.

P.S. You project too much.

Problems with session ID in URLs

[FangVT]

There have been several messages/threads discussing session IDs stored in URLs (including sevenval's mechanism of storing it in the domain portion). I implemented a system doing this at the start of 1997 for what has grown to be a fairly large e-commerce site, because we didn't want to force users to accept cookies. We have since had to give up the fight and switch to cookies. When we first started I had guessable session IDs but used the client's IP to verify that the session number in the URL belonged to the requesting client. We later had to discontinue this because customers coming through AOL started having IPs that shifted from page request to page request so they were no longer able to buy through our site. I didn't see any other information coming in from the browser that I could reliably use to verify the client was the same, so I switched to a (reasonably) unguessable session ID. This mostly worked but we ran into a problem where people would find a good deal on our site and post the URL somewhere on the net with the session ID included. If other people followed the link, before the session expired, they would end up in the original poster's account and while they couldn't place an order without supplying their own credit card they still found it disturbing that the system showed them as being in someone else's account (and rightly so). After another couple of rounds of trying to keep cookies out of the equation but still keep each person's session secure I finally gave up and switched to cookies. So I ask, do any of you that hate cookies have a suggestion for a technique that I may have missed that would allow us to stop using them? If not, then I suggest that this potential patent is ultimately doomed as well, at least where ecommerce is concerned.

Using Wildcards

[madmag]

I think that wildcards in web applications are not something new.

Take a look at http://cv.developer.ch
I use this possbility for the above project to make users cv available.

User aghaffar gets aghaffar.cv.developer.ch, user madmag gets madmag.cv.developer.ch

I dont know why somepeople try to make fool out of themselves by patenting obvious things.

You can read my article on LinuxFocus (January Issue) that talks about these techniques.

Re:I've been doing this.

[Kyler+Laird]

(Good grief! Did I really write "There not only useful"?! I'm getting the Slashdot spelling disease!)

For kicks, I decided to do some digging through old files. I found that I started testing wildcard A records for this and other uses back in December of 1999. (I had talked about it quite a bit before then, but hadn't implemented it.)

I'm also trying to track down old messages about it just in case that helps.

Re:Useless for SSL

[Kyler+Laird]

Good point, but apparently not completely correct.

Equifax sells wildcard SSL certificates. Instead of $45 for a regular certificate, these are more like $1000. (I was thinking of buying one for purdue.org, but I ended up with one of the cheapo ones for engineering.purdue.org.)

Re:unpoison (not depoison)

[mpieters]

dynamic content doesn't get cached by proxies, but images present in dynamic pages get very well cached. With location poisoning, this caching is not possible. So caching matters!

And who says you get the images from the [sessionid].website.url server? You can still serve your images from www.website.url. And any other static content, so caching works on that just fine. Actually, this is what slashdot does. Just look at the source of this page, and pay attention to the URL of every image.

Fact is, e-commerce needs state. State can be maintained by using cookies or using session IDs in the URL. Up until now this was done using the path portion of the URL, or the query string. These people figured out you could use the hostname as well.

With all three these techniques you loose cachability of the object the URL points to, but this will not prevent a good site desingner from using static, constant URLs for static, constant content.

As much as I am opposed to software patents, the idea is a clever use of the available resources and techniques. And I don't think there is any prior art.

If you want to fight this, you will have to come up with better arguments. Have a look at "Against Software Patents" for some amunition. Note that this document is 9 years old, so the amunition might be a bit weak. However, some good public momentum behind it might just get something done.

Martijn Pieters, Software Engineer
Digital Creations, Creators of Zope

Re:aka "Location Poisoning", not good

[mpieters]

Abused tracking is, of course, but this is such a clumsy method that it is not likely to spread.

Indeed, I'm not too concerned about this being patented since the URL http://bgfv3wz0.software-patents-are-bad.com/ has no obvious advantage over http://www.software-patents-are-bad.com/bgfv3wz0/.

Actually, there is:

Your software becomes much simpler, you don't have to rewrite every URL.

You can use absolute URLs within your site (/About/ instead of ../../../About/), so you can reuse navigational elements throughout your site at every level and it reduces the chance on errors.

Not exactly prior art since it wasn't that long ago and in any case toth doesn't log, but still that makes it obvious in my book. Same problem as ever though: what's "obvious" to a bunch of web developers who read RFCs is not generally "obvious" to bunch of patent clerks who read the National Enquirer

And this is where the problem lies. Maybe because this is still a pending patent you have a fighting chance, but not with statement like "I just had a good laugh over the idea with a client before I heard of this patent". We will have to have proof. Guilty until proven innocent.

Martijn Pieters, Software Engineer
Digital Creations, Creators of Zope

Possible candidate: WildCat BBS

[mpieters]

My colleage told me:

"WildCat BBS software has used the technique of wildcard DNS entries to track incomming tcp/ip user 'sessions' for years. Simple case of prior art."

No mention of WildCat on Mustang's Website anymore, but you could try and contact them and ask.

Martijn Pieters, Software Engineer
Digital Creations, Creators of Zope

Re:Useless for SSL

[kjo]

Nope. Just use also a wildcard as common name and it works. Have a look at the certificate at ccc.de

IM SO SICK OF PEOPLE COMPLAINING

[mkaminer]

All of you tech clowns say the same thing. Oh its not obvious, oh its so easy. You are all using HINDSIGHT to do this. Of couse it is obvious, once you see how to do it. But YOU didnt come up with it yourself. THATS why the OTHER person gets the patent And another thing, how does everyone know about this patent if it has not been issued? Stop your bitching and start inventing. Think about it: 1. The invention must be NOVEL. (35 USC Sec. 102) Has anyone actually done this before? Not. Oh, I saw that once in X-windows (thats not the same thing) It doesnt seem so. 2. The invention must be USEFUL. (35 USC Sec. 101) Anything is useful. It doesnt have to be useful to you. but useful to SOMEONE 3. The invention must be NONOBVIOUS (35 USC Sec. 103) This means THAT: it would not HAVE BEEN obvious to one of ordinary skill in the art. Notice the HAVE BEEN. That means, at the time the patent was filed. not using YOUR HINDSIGHT. SO,if there is a reference that discloses this, then produce it. Otherwise, you are using your own hidnsight to make flighty comments. GEEZ!

Re:IM SO SICK OF PEOPLE COMPLAINING

[xee]

1st of all, who are you to be assuming who we are, getting upset about these issues.

2nd of all, I developed a system for user management (not session, but very similar) based on wildcard DNS aliases (A Records). In my system, a user comes to the site via username.mysite.com and then logs in to his/her personal section. This is prior art! As soon as I get my client's permission, I'll post more info on the SIMPLE, OBVIOUS process I used. Furthermore, this is not hindsight, I devised the system on my own, with no external help.

Re:IM SO SICK OF PEOPLE COMPLAINING

[slashdot-me]

It IS obvious. One of my projects is a web search engine and I have given dns-based session control quite a bit of thought. As a spider designer, it gives me the heebie-jeebies.

No one uses dns encoding because it poisons dns caches. Remember, dns lookups that aren't cached on a nearby server require sending a request/response from at least two other machines. Here's what a session might look like.

////////////////////

First query the local server. Very fast since the connection is probably ethernet.
me -> dns.ryans.dhs.org

Now my local dns goes off and searches for the ip address.

Local dns queries the root servers.
dns.ryans.dhs.org -> b.root-servers.net
dns.ryans.dhs.org ns1-auth.sprintlink.net
dns.ryans.dhs.org - ns1-auth.sprintlink.net

Local dns sends me the answer
me - dns.ryans.dhs.org

Start tcp session

////////////

As you can see, the name lookup needed one short-haul and two long-haul roundtrips. If it was cached only one short-haul conversation would have been needed.

Ryan

Does the patent really exist? Other patents.

[3247]

I just wanted to have a look on the patent to find out what they actually claim.

I searched for this patent on both IBM's IPN and on various parts of Depanet using the patent numbers they give on their website (which don't look like patent numbers), parts from the title, and the name "sevenval" as the applicant ... and could not find it.

Can anyone confirm that these patents actually exist? URL?

What I did find, however, were:

• An IBM patent claiming the well-known method which uses a CGI to append the session ID to all URIs, and
• A Sun patent claiming the hidden input field method.

privacy violation and laws

[Tom]

two things that haven't been mentioned so far:

the whole Location Poisoning scheme is a mighty tracking system. since your ID stays the same among various sites, they can cooperate and pool the data you entered. your address here, your buying habbits there, a questionaire over there and the words you entered in that search engine - doubleclick was nothing, they only get the sites you visit, not what you enter there.

7val claims that they'll require customers to sign a contract that they won't do that. which to me has the base purpose of removing *7val* from responsibility. this SCREAMS abuse. I bet it will be used for profiling as described above.

now since (2nd thing not mentioned) 7val is in germany and applying for european patent, the EUROPEAN patent law applies, NOT the US which has been quoted here. in european patent law, patents can be refused if they are overtly abusive. for example, you couldn't patent something if it's only use is illegal. since Location Poisoning begs to be abused, and the "advantage" of following visitors even when they leave your site is one of its strong marketing points, I do believe a point can be made for the patent to be abusive in nature.

Re:Neat, but different

[adamsc]

I doubt if thi is prior art, since it does not track you during your session.

7val's patent isn't about pure session tracking either, as that's been around for ages. Their system is different because it uses the hostname to store the session identifier. The only claim on innovation that they have is using the hostname to store data for their program, which the urlcalc site also does.

Might be prior art

[vallee]

The author knew that this was an important breakrhrough. From the results page:
This is a demonstration of having a dynamic subdomain to be the input of a program on the web. What this also demonstrates is that you really can send weird stuff on the url even in a subdomain name. (Note: There's no cgi-param-passing-here or path-info.)

It's a demonstration of technology this broad: dynamic subdomain being the input of a program. Well, that's exactly what 7val is doing. So what if the program does something specific - it's still a web program that "tracks sessions" instead of a web program that "does math". Web programs that "track sessions" are nothing new. The only new part is the dynamic subdomain, for which there is prior art.

The author of the domain math software was aware of other potential uses for this ground breaking technology, clear from his description in italics above, and only used the calculator example to demonstrate that it could be the input to any program. Ergo prior art.

QED!

Re:This is real nit-picking, but...

[scrytch]

I think you need to work on your deductive reasoning skills. An image that lampoons frivolous patents does not by extension lampoon all patents as frivolous.

Hmmm...

[clifyt]

Damn, I've been meaning to se about hacking the code to give me this kinda functionality for a while :(

On the sites I host, I usually have a template that I use with a assload of variations incase someone types crap in wrong, I want them to still get into the machine.

Example:
www.*.com ww.*.com w.*.com wwww.*.com

It gets to be a pain. I watch my DNS servers error records to see what people put in and if its a new variation that I haven't seen, I usually update my records with the new one. Having a wildcarded DNS would have made this a lot easier.

Now if I could only apply this feature to my personal server SoniKmatter.com so if they spelled it soniCmatter.com it would send them over to me without having to register another damn domain.

clif marsiglo

Re:Useless for SSL

[arivanov]

Brilliant point. Forgot about this.

What these i... are claiming is to "revolutionize web commerce". What are they talking about? What commerce without sertificates and encryption? Relying on HTTP-Referrer which is supplied by the browser so any kid can fake it maybe?

If this gets enough publicity they are not getting any money. Which is good (TM).

Looking at the arguments

[sammy+baby]

Good points, good article. I'm not sure I agree with all of the points it raises, though.

The author states that "Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic." This is true, but the situation isn't as dire as you might think at first blush. Without having any numbers to back up my claim, I'm going to assert that in the average web transaction (from DNS lookup to the last request fulfillment on a single page), transmission of images takes up the vast majority of the bandwidth used. If the page author serves images from a central location (<img src="http://images.etcetra.org/blah.gif">) they'll still be cached normally by web proxies. So, it's bad, but it can be mitigated somewhat by clever design.

On the other hand, I detest what this does to bookmarks. Bleah.

In the end, I don't see this technology as having much value, even if you strip out all the negatives. Even if you don't have to screw around with passing cookies or GET args as session identifiers, you still need to change state in your database for any reasonably useful application (read: shopping cart). If you can set something like that up, then there's no reason you couldn't have set up some other, less objectionable form of session management.

request for information

[Shoeboy]

If anyone has info on this tech that doesn't require me to brush up on my long forgotten knowledge of German I'd love to see it. Hell, I'd like to see any info that WAS in German. Sevenval's news page appears to only contain the word news repeated several times with some plus signs thrown in for variety.
--Shoeboy

Let's all make stuff like this

[mind21_98]

How about we all make sites that use this technology? And set our copyright dates to last year as well. Then we can prove that this is prior art (but faking prior may be illegal though, not too sure about that)

Actually maybe I can change GPLTrans to use this...something like http://helloworld.english2spanish.translator.cx/

or maybe http://www.yahoo.com.english2spanish.translator.cx /Computers_and_Internet

(note those URL's do not work in reality)

Re:Possible candidate

[nyet]

Actually, its worse than that, it searches for the first instance of really heh. OOPS. maybe i should fix it.

First one to send me php code to split into a string array wins... well... hrm. nothing.

Example of bad practice

[mindstrm]

Regardless of my stance on patent issues, this goes contrary to what the internet is about.
IF this kind of attitude was used in previous years, we would be nowhere right now. The Internet would not have happened.

Nobody patented the use of putting stateful information in the path portion of a URL, why should they be able to do it in the host portion?

NO PATENTS! PATENTS should be for REAL RESEARCH, that costs REAL DOLLARS.

One could argue that this is no different than a web server differentiating between virtual websites based on the hostname. The 'state' that is stored in the hostname is the one that determines which site is being visited, (as opposed to a simple IP lookup). This is not something patentable, and should not be patented.

What's the definition of state?

[LL]

I'm not quite sure how broadly or narrow you need to interpret the word "state". I know that contorting the URI to do wierd things is not unusual. In a PhD a long time ago I used a combination of techniques to effectively pass commands encoded within the URI to an interactive state engine embedded within a simple web server (experiments in doing simulation on demand on a multiprocessor). The use of altering the DNS has a couple of tradeoffs though, it involves a layer outside the HTTP server-server level but it is faster as one step in the parsing is removed. Thus some portability is sacrificed for performance which in the overall scheme of things I'm not sure is superior because a lot of the lower level network will get hardwired (eventually) into network boxes which is permanent infrastructure whereas you want to have flexibility in modifying the interactions. Sorta the difference between ripping out a wall and repainting the wallpaper.

The internet pace does have a disadvantage in that it is impossible to weed out *bad* or useless ideas out of the volume generated every day. How many inventions actually become a commercial success? Building a better mousetrap does not always equate to getting rid of more mice.

LL

Other DNS abuse by sevenval

[Randym]

If you go to 7val.com it works -- but it shouldn't! IIRC, domain names must start with an alpha character (I don't remember which RFC this is in though.).

Re:Other DNS abuse by sevenval

[RobertGraham]

No, 7val.com is correct. This is a common misconception, and indeed many DNS servers follow this misconception. (i.e. if you choose a name starting with a digit, some DNS servers will not be able to resolve the name).

Goto Network Solutions and attempt to register any name starting with a digit. Indeed, the name could be completely digits (i.e. 411.com). However, try to begin a name with a dash; you'll see it doesn't work.

This is real nit-picking, but...

[Frac]

Can we replace the icon for Patents? Or at least have another icon for the more legitimate (or patents under scruntiny?)

I understand it's all in the name of humor (and the icon is indeed very funny), but I also think that the icon unconsciously biases any posters or readers to think of any patent to be trivial, or frivolous.

Patent laws need to be fixed, but that doesn't mean all patents are bad. If I had a patent on some groundbreaking device, I would hate to get the attention of Slashdot, who would pigeonhole my creation with an icon of patenting knifes and forks.

Re:This is real nit-picking, but...

[Frac]

You need to work on your reading skills. I did NOT say the image infers that all patents are frivolous, but that the image subconsciously affect's someone's opinion since they see the image.

akamai

[SmartyPants]

akamai does something simmilar with thier image caching ... check out yahoo's front page and the images on it.

Prior art

[RobertGraham]

Two years ago, when developing a beta version of a product, I put a feature whereby the product would encode the IP and user name in a DNS request and did a lookup on it. (The beta did have splash screen clearly stating the product would contact our website).

I still have the source code for the little DNS server I wrote that received and decoded that traffic back into its consitituent components. I'll sign an affidavit if need be.

BTW, as a hacker, I've already found several ways of breaking this scheme after a few moments of trying. (Heck, one of the flaws I already solved in my implementation mentioned above; stupid of them). Therefore, you can attack the patent. Their implementation is still rough, so simply find flaws in it and patent the solutions ($500). When they fix their implementation, sue 'em.

Damn

[PhiRatE]

I came up with that as a solution to our load balancing issues over a year ago, unfortunately our network architecture didn't really support the concept.

However on this basis I note that it must be "obvious", certainly it never occured to me that others might not have thought of it. Unfortunately this isn't enough I guess, and I never implemented anything to test the idea, so..no prior art from me. Sorry :/

Hope this helps

[shadrack]

If I understand your request, then you might want to check www.href.com.

They make a server side web development toolkit for Delphi developers, that uses state management, wild card ids, no cookies, and supports server clustering (among their own app servers). They have been doing this since Delphi 2 as far as I can tell. They are not the only either, but I can't remember the names of the other companies doing this.

prior art in PHP/Apache

[eries]

I KNOW that I saw a page somehwere describing how to do something almost identical in Apache for PHPLIB (the package the Kristian excellently maintains, btw). Alas, I cannot find the URL now, but if someone could post it, that would be great.

I think it used mod_rewrite, but I could be mistaken.

Eric

Want to work at Transmeta? Hedgefund.net? Priceline?

Re:Calculator in the URL - prior art

[Dannyx]

*Not* a troll, but this looks like prior art, too... http://slashdot.really.fuckingsucks.net/

Re:aka "Location Poisoning", not good

[Bob+Ince]

Abused tracking is, of course, but this is such a clumsy method that it is not likely to spread.

Indeed, I'm not too concerned about this being patented since the URL http://bgfv3wz0.software-patents-are-bad.com/ has no obvious advantage over http://www.software-patents-are-bad.com/bgfv3wz0/.

A few weeks ago I was on a talker (toth.org.uk) discussing ways of storing client information, and someone suggested "storing a session ID at the start of the URL", meaning the second URL above. We, of course, joked that he had meant at the start of the domain name and that could be done using DNS wildcards but - ho! ho! ho! - what a damned stupid idea that would be.

Not exactly prior art since it wasn't that long ago and in any case toth doesn't log, but still that makes it obvious in my book. Same problem as ever though: what's "obvious" to a bunch of web developers who read RFCs is not generally "obvious" to bunch of patent clerks who read the National Enquirer.

--
This comment was brought to you by And Clover.

Not for saving state, for tracking users.

[kevin805]

I think that the above examples of using the hostname to encode search strings, or parameters to a function, should be good enough for prior art, this really is a good idea. It's not (only) about customer tracking as in shopping carts. From the web page:

...bietet eine absolut neue Möglichkeit des Customer-Trackings, die unkompliziert auf einem Webserver zu installieren ist und für den Benutzer kein Sicherheitsrisiko darstellt, wie z.B. ein Cookie. Jedem Besucher einer Website wird bei der Anfrage der Webseite ein eigener (virtueller) Webserver zugeteilt: www.ID-Nummer.Domain.de und gleichzeitig ein Hostname vergeben.

"...offers an absolutely new possibility in customer tracking, that is simple to install on the webserver, and poses no security risk to the user, like, e.g. a cookie. Every visitor will be assigned their own personal hostname upon visiting the page."

I don't see this as a being for the purpose of knowing who you are dealing with when you are actually serving the pages (allthough no doubt it could be used for that), but rather that you can make this change to your webserver, and then you have a very simple method of looking at what individual users did from your log files. For example, how many pages does the average user visit? It would require a lot of overhead in cookies and stuff while the user is doing the reading to be able to tell that. Add sevenval's software, and you just have to change the places where the user enters, then you can more easily analyse your log files.

I didn't read the whole page because my german sucks, so maybe this is just a side point, but it seems like it would be a cool ability to have.

--Kevin

On a related abuse of DNS...

[SIGFPE]

Try: dig @138.195.138.195 goret.org. axfr | grep '^c..\..*A' | sort | cut -b5-36 | perl -e 'while(){print pack("H32",$_)}' | gzip -d That's the neatest hack I have seen in a long time! (I won't explain it as half the fun is figuring it out!)

Re:aka "Location Poisoning", not good

[guran]

Well no cause for alarm IMHO

This is such a bad tecnology that only the really clueless will buy it. Anyone tried editing the "server name" string? No problem. Oops I'm suddenly a different customer in 7val's eyes.

Session tracking is not evil by itself. Abused tracking is, of course, but this is such a clumsy method that it is not likely to spread.

Storing state in DNS

[dagbrown]

Seems that what they're trying to patent is, essentially, trying to store state using DNS.

Isn't that exactly what the Fox project's IP-over-DNS thing does? (As referenced in the Firewall Piercing Mini-HOWTO, 27 November 1998.)

--Dave

Answert to "Why is this useful?"

[kris]

The Sevenval system is useful, because

- it makes pages fairly uncacheable in a central proxy while at the same time retaining local cacheability of the pages, thus keeping the back button alive

- you do not have to propagate the session id manually, but only have to use relative links in your pages. This will even would on static pages.

- you can easily log by host and get customer tracking with current tools

Sevenval implements this with a wildcard A-record in the DNS system, which has been around for quite some time, and an initial 302 redirect to a unique hostname. That hostname is long (a 128 bit value) and randomly generated, making it unguessable. Changing the hostname will simply restart your session, as with any other session tracking systems.

© Copyright 1999 Kristian Köhntopp

DNS record..

[EraseMe]

According to the DNS record for sevenval.com, how exactly are the dynamic A records held? I'm fairly sure there is an implementation of DDNS in the latest version of BIND (ala Windows dynamic WINS updates in DNS), but how is this stored?

I don't see anything even remotely dynamic below, but their hostname is extremely dynamic when viewing their webpage. I would assume its the * record, but what sort of application generates the hostname?

2000011802 ; serial
8H ; refresh
2H ; retry
1W ; expiry
1D ) ; minimum

1D IN NS ns.buy-world.de.
1D IN NS ns.r-tec.net.
1D IN MX 1 wilson.office.sevenval.de.
1D IN A 195.122.187.3
* 1D IN HINFO "IBM-PC" "UNIX"
1D IN A 195.122.187.3
cvsserver 1D IN A 62.96.224.212
1D IN HINFO "IBM-PC" "UNIX"
*.cologne 1D IN A 62.96.224.211
1D IN HINFO "IBM-PC" "UNIX"
wilson.office 1D IN A 62.96.224.210
1D IN HINFO "IBM-PC" "UNIX"
tim.office 1D IN A 62.96.224.222
1D IN HINFO "IBM-PC" "UNIX"

EraseMe

It's been called "URL Poisoning"

[lar3ry]

There's a web site http://www.lemuria.org/Software/unpoison that calls this technique "URL Poisoning" and mentions that this could be considered a Bad Thing, because using this technique, people cannot easily "opt out" from being profiled, as you can by, say, disabling cookies in your browser.

Refer to the above link for an explanation of URL Poisoning, and for a pointer to a Squid redirector plugin that can be used to disable URL poisoning.

I personally don't have any opinion on this; I can see how it can be used, as well as how it could be abused. [shrug]
--

Improper?

[Foogle]

This is hardly an improper software patent. If it was so obvious, we'd all be using this sort of technology in our web-browsers right now. Now, you may not want to see it patented -- so that everyone can use it freely -- but that doesn't make it "improper". This is the very heart of what patent's are about.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:depoison... and THIS(!)

[Sun+Tzu]

Hostname information encoding has been done here as well. ;)

This site works with all text I have tried, separated by periods. I don't know how long it's been up, but it has been there for quite a while.

I got cher prior art right here... bookpool.com

[StandardDeviant]

I could of course be smoking der crackenpipen, but I think the stuff I see in the URLs when I visit www.bookpool.com (amazingly cheap prices on computer and tech books, way cheaper than amazon or fatbrain in my experience). I don't know how long they've been around, but I've been shopping there since april of last year. Mike

--

depoison

[dsb3]

Freshmeat already has a program registered called 'depoison' that will remove this session management information. I'm sure it was for a different web site, so perhaps THAT is prior art in itself?

unpoison (not depoison)

[dsb3]

My mistake. It's actually called unpoison and is written by Tom Vogt.

Freshmeat Application Page reads as follows:
unpoison.pl is a simple Squid redirector plugin that disables (and returns the favor of) a new customer-tracking scheme developed by 7val.com that the author has labeled "Location Poisoning". The Web page explains how Location Poisoning works and why the author considers it a Bad Thing(tm).

The App home page gives more information, including the patent request by 7val.com ... (which in all liklihood is the same deal as sevenval.de now I've woken up enough to remember how to spell my numbers)

Re:unpoison (not depoison)

[Shoeboy]

Ok, checked out the homepage of this user and don't get a lot of his complaints.

As customer, you are paying, so that the company owning the web-pages can profile you. Not only is tracking the default, there also is no way out, no "I don't wanna be tracked" button.

Ok, so I definitely don't understand all of this "location poisoning" technology, but I don't see anywhere that they are getting more information about you (IP address, pages viewed, etc...) than any other web site collects. Don't know about your friends and coworkers, but all the major websites that I've heard of and interviewed with do major tracking (300Gb data warehouses and such) of all hits and don't offer an opt-out option. How is this different?

With "paying" I do literally mean money and time. Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic. More traffic means waiting longer for pages to appear, and if you pay for your traffic (most small businesses do) it also means you are paying money that you shouldn't have to pay.

So what if I use this for dynamic content? In that case, caching doesn't matter anyway.

Location Poisoning also abuses HTTP and DNS standards.

Last time I checked, most of what web developers do abuses standards (mainly html) Ever noticed that client side scripting gets buried in comment tags? That's actually part of the standard, but it doesn't make it any less fucked up.

The reply to an initial request is a 302 error code, reserved for "Temporarily Moved" documents. Giving this reply is somewhat akin to a lie by the remote webserver.
Yeah, just like how giving me "permission denied" is a bit of a lie on footfetish.com, what they ought to be sending me is the (forget the number) "payment required" http response. Those bastards!

Abusing standards for one-sided gains should not be endorsed. It undermines the standards and punishes those who try to respect them.
How do you feel about all the html tags that netscape introduced? That was an abuse of the html standards process, but it's hard to deny that it dramatically improved the web. Why should http standards be different?

Location Poisoning tries to transparently add states to a stateless protocol. This is a bit like dehydrated water - sounds interesting, but doesn't make much sense.
Come on, every web developer I know spends time trying to establish states on this stateless protocol. Like cookies are an elegan solution.

There are several ways to add states to HTTP, but they are far from transparent. So it appears that in the long (by IT standards) history of the web, absolutely everyone missed this quite simple solution? Hardly a believable claim, is it?
Quite possible. I improve my throughput by using the mouse with my toes. My coworkers insist they've never heard of anything so daft.

Finally, Location Poisoning is a proprietary solution. If you use it, you are binding yourself to one partner. If at a later date you wish to work with someone else, you will have to completely redesign and re-implement your whole customer tracking system. Other mechanisms are open and can be taken over by your new partner. Location Poisoning is patented (or will be soon), and thus can't be used by someone else.
Ever talked to a mac user. They're all pretty relaxed about being married to a single company. (OK, so they were pretty nervous about it a few years ago, but really)

If I'm missing the point here, feel free to flame.

--Shoeboy

AOL doing this for years -- serious prior art

[webg2.com]

AOL has been encoding session info into the DNS names given to its users' ip addresses for years.

Is this really groundbreakingly useful?

[stab]

Why is this technique so useful compared to session-id tracking? I don't believe that it really is, or why such a fuss should be kicked up about it :

If I understand it correctly, it simply replaces the session ID normally stored in as a cookie/get-var in the hostname.

This would lead to extremely user-unfriendly domain names, and surely it would really bugger up users trying to bookmark the site (stale sessions could stay in bookmarks for a LONG time).

Also, its simply not as efficient as session IDs, which after one unfriendly GET, tend to store their results in a cookie which is transparently passed around. Surely dynamic DNS would all have to have really low TTLs and generally slow down site access if you have to do a large number of DNS lookups (which can be the slowest stage in an http access cycle?)

As I see it, the only problem with the session-id method is that it complicates serverside scripting, but with simply superb tools like PHPLIB all those details are abstracted away from the user. And also PHP4 has built in session handling to simplify things further. IIS has similar modules for ASP developers, and I'm sure others exist forother scripting languages (mod_perl? dunno ...)

So while this might be of interest to some specific applications, I can't see it revolutionising the whole ecommerce industry with its cunning "new" user tracking system.

But then again, I might be talking bull :) Do correct my bullshit if it is that, please.

Calculator in the URL - prior art

[bvark]

http://x42.com/urlcalc/ looks a lot like prior art to me.

Useless for SSL

[DSCreat]

SSL site certificates are bound to a very specific host name, so this session tracking soution would work only for non-secure sites.

I've been doing this.

[Kyler+Laird]

This has been one of the features I've been trying to hype for our new Web server cluster. I love wildcard A records. There not only useful for non-cookie sessions (I *hate* cookies.) but I have been playing with them to support being able to "log out" an HTTP authenticated connection. (So you'd authenticate with auth1234.foo.com and then the server could invalidate your authentication with that specific host name.)

I have public examples of my use of wildcard A records through purdue.org:

• http://grandprix.purdue.org/
• http://radio.purdue.org/
• http://w9yb.purdue.org/
• http://news.ece.engineering.purdue.org/
• ...

Possible candidate

[jbrw]

Not session tracking, but a similar idea:

http://type.something.here.real ly.fuckingsucks.net/

(and sorry for the sailor talk).

Replace "type.something.here" with, say, a company name.

...j

Calculator in the URL

[HugoRune]

This looks like a similar idea to me.
http://$urlcalc(about).x42.com/

According to the copyright notice on the page, this has been up since 1998-06-23, and has won the "Useless site of the year award" for 1998.

Perhaps it wasn't so useless after all.

aka "Location Poisoning", not good

[RMGiroux]

Check out this article for a counter argument to this approach.

Quoting from that page:

Why you should oppose Location Poisoning as a customer

As customer, you are paying, so that the company owning the web-pages can profile you. Not only is tracking the default, there also is no way out, no "I don't wanna be tracked" button.

With "paying" I do literally mean money and time. Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic. More traffic means waiting longer for pages to appear, and if you pay for your traffic (most small businesses do) it also means you are paying money that you shouldn't have to pay.

Location Poisoning also abuses HTTP and DNS standards. The reply to an initial request is a 302 error code, reserved for "Temporarily Moved" documents. Giving this reply is somewhat akin to a lie by the remote webserver.

Abusing standards for one-sided gains should not be endorsed. It undermines the standards and punishes those who try to respect them.

Location Poisoning also undermines the purpose of DNS and hostnames. Instead of using DNS to give human-readable names of server machines ("www.lemuria.org" instead of 195.244.121.251), it abuses the DNS to identify a client machine - i.e. you, the customer.