Skip to main content

11.2.2. Tracking Using Request Object URI

11.2.2. Tracking Using Request Object URI

Even if the protected resource does not include personally identifiable information, it is sometimes possible to identify the user through the Request Object URI if persistent static per-user Request Object URIs are used. A third party may observe it through browser history, etc. and start correlating the user's activity using it. In a way, it is a data disclosure as well and should be avoided.

Therefore, per-user persistent Request Object URIs should be avoided. Single-use Request Object URIs are one alternative.

Last updated on