- From: David Morris <dwm@xpasc.com>
- Date: Thu, 19 Jul 2012 15:33:20 -0700 (PDT)
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, 19 Jul 2012, Willy Tarreau wrote: > > I would go further, because after some thinking I don't agree with > the requirement of *a* session header. The web is so stateful nowadays > that multiple layers generally need their own session information. > > Requests coming from clients to servers sometimes flow across multiple > places and a single session identifier is not always enough, sometimes > a few ones need to be provided. > > I think it would be terribly useful to have a session container in which > we can store one or more session identifiers and that load balancers and > servers can easily access and manipulate. It is also critical that any session header concept address the scope of applicability of a session identifier so that the user agent can accurately and efficiently determine whether a particular session applies to each request. There is a lot of experience embodied in the our group history re. cookies and authentication, expiration, etc. I see no reason for a browser generated session id independant of a server's desire to receive one. And getting the related issues like scope and expiration solved in a secure way would still seem to require properties controlled by the server and not the client. Dave Morris
Received on Thursday, 19 July 2012 22:33:49 UTC