- From: James M Snell <jasnell@gmail.com>
- Date: Tue, 17 Jul 2012 15:48:05 -0700
- To: ietf-http-wg@w3.org
- Message-ID: <CABP7Rbf6n1=qSME75KY4TkLWK-pWeMTscsXzk2tx8u3omB1HJA@mail.gmail.com>
In several of the ongoing discussions there has been mention of the need for a Session header to replace the use of Cookies for basic session management. For HTTP/2.0, this seems like a straight forward and smart thing to do. To start it off, let's define a new header whose value is a variable length token. Within HTTP/1.1, it would be something like "Session: some-random-string-of-letters" If we go with the current SPDY header structure, the header name should be something like ":session". If we ended up using the binary encoded headers I've suggested, the session could be encoded as: [0, 10, 1, 0, 29, 's', 'o', 'm', 'e', ... ] The semantics would be simple: the Session header can be set by the Client or Server and communicates the Session identifier for the Stream. Each Stream can have exactly one Session identifier. The current Session identifier in a stream can be changed by sending a new Session header. To resume a session, the Session header would be added to the SYN_STREAM. Obviously this does nothing to address the security issues but it, at the very least, should help us to reduce the reliance on cookies. - James
Received on Tuesday, 17 July 2012 22:48:53 UTC