W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: David Morris <dwm@xpasc.com>
Date: Thu, 19 Jul 2012 15:33:20 -0700 (PDT)
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.LRH.2.01.1207191524030.19187@egate.xpasc.com>


On Thu, 19 Jul 2012, Willy Tarreau wrote:

> 
> I would go further, because after some thinking I don't agree with
> the requirement of *a* session header. The web is so stateful nowadays
> that multiple layers generally need their own session information.
> 
> Requests coming from clients to servers sometimes flow across multiple
> places and a single session identifier is not always enough, sometimes
> a few ones need to be provided.
> 
> I think it would be terribly useful to have a session container in which
> we can store one or more session identifiers and that load balancers and
> servers can easily access and manipulate.

It is also critical that any session header concept address the scope of 
applicability of a session identifier so that the user agent can
accurately and efficiently determine whether a particular session
applies to each request. There is a lot of experience embodied in
the our group history re. cookies and authentication, expiration, etc.

I see no reason for a browser generated session id independant of a
server's desire to receive one. And getting the related issues
like scope and expiration solved in a secure way would still seem
to require properties controlled by the server and not the client.

Dave Morris
Received on Thursday, 19 July 2012 22:33:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 22:33:55 GMT