W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Thu, 19 Jul 2012 22:36:13 +0000
To: Willy Tarreau <w@1wt.eu>
cc: Philippe Mougin <pmougin@acm.org>, HTTP Working Group <ietf-http-wg@w3.org>, James Snell <jasnell@gmail.com>
Message-ID: <19658.1342737373@critter.freebsd.dk>
In message <20120719213630.GA20313@1wt.eu>, Willy Tarreau writes:
>On Thu, Jul 19, 2012 at 08:48:01PM +0000, Poul-Henning Kamp wrote:

>I think it would be terribly useful to have a session container in which
>we can store one or more session identifiers and that load balancers and
>servers can easily access and manipulate.

At this point I would like to defer to card-carrying cryptographers,
because while I think nobody but the client should be allowed to
define/change the session identifier, in order to shut out spoofing
of it, I don't trust my own analysis of this question to be definitive.

I do think it would be terribly useful if the session-id was client
originated and contained a anon/specific-authenticated-user bit,
because that would warn the server about public PCs etc.  So even
if we don't do the session-id, I think I would advocate that bit
on its own.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 19 July 2012 22:36:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 22:36:42 GMT