W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Introducing a Session header...

From: James M Snell <jasnell@gmail.com>
Date: Tue, 17 Jul 2012 15:48:05 -0700
Message-ID: <CABP7Rbf6n1=qSME75KY4TkLWK-pWeMTscsXzk2tx8u3omB1HJA@mail.gmail.com>
To: ietf-http-wg@w3.org
In several of the ongoing discussions there has been mention of the need
for a Session header to replace the use of Cookies for basic session
management. For HTTP/2.0, this seems like a straight forward and smart
thing to do. To start it off, let's define a new header whose value is a
variable length token.

Within HTTP/1.1, it would be something like "Session:
some-random-string-of-letters"

If we go with the current SPDY header structure, the header name should be
something like ":session".

If we ended up using the binary encoded headers I've suggested, the session
could be encoded as:
  [0, 10, 1, 0, 29, 's', 'o', 'm', 'e', ... ]

The semantics would be simple: the Session header can be set by the Client
or Server and communicates the Session identifier for the Stream. Each
Stream can have exactly one Session identifier. The current Session
identifier in a stream can be changed by sending a new Session header. To
resume a session, the Session header would be added to the SYN_STREAM.

Obviously this does nothing to address the security issues but it, at the
very least, should help us to reduce the reliance on cookies.

- James
Received on Tuesday, 17 July 2012 22:48:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 July 2012 22:48:59 GMT