project Websites / Privacy Sensitive Analytics avatar

websites/privacy-sensitive-analytics#16: Give session IDs a max life-time

Issue Information

Issue Type: issue
Status: closed
Reported By: btasker
Assigned To: btasker

Milestone: v0.4
Created: 05-Apr-22 10:14


Currently, if session ID's are enabled, we rotate them based on random chance

    // Every so often, we want to rotate the session ID to mitigate its impact
    var n = randomInteger(1, 10);

    var k = window.location.hostname + "_sess-id";
    var i = sessionStorage.getItem(k);

    // If there's no item in storage, or if we've decided to rotate
    if (!i || n == 5){
        i = createUUID();

In theory it should rotate, on average, every 1:10 requests. However, it's equally possible (but unlikely) for it to remain the same for hundreds of requests.

As we're storing stuff in sessionStorage anyway, we should add a counter - if the ID has been used n times then we should force a rotation.

The random rotation should also be kept as it helps prevent correlation between requests

Issue Links

Toggle State Changes


assigned to @btasker


mentioned in commit a7cd833843e83414da19317ba4ff4717f238d728

Commit: a7cd833843e83414da19317ba4ff4717f238d728 
Author: B Tasker                            
Date: 2022-04-05T12:03:54.000+01:00 


Add a counter and rotate sessionID if it's been used too many times websites/privacy-sensitive-analytics#16

Using the default setting, a sessionID will be used at most 3 times, before being rotated.

The random chance of rotating is retained (although the odds should perhaps be increased)

+18 -3 (21 lines changed)

This is implemented - the default used means that a session ID will be used, at most, 3 times before rotating.

The random rotation is kept, but might want to look at whether the odds should be adjusted - if we're rotating every 3 requests then a 1:10 chance of rotating probably doesn't add much uncertainty.

I'll raise a separate ticket for that though as it feels an important enough change to warrant documenting seperately

mentioned in issue #17

marked this issue as related to #17

changed title from Give session ID{-'-}s a max life-time to Give session IDs a max life-time