W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: Ross Nicoll <jrn@jrn.me.uk>
Date: Fri, 20 Jul 2012 13:45:50 +0100
Message-ID: <500952FE.1020402@jrn.me.uk>
To: ietf-http-wg@w3.org
On 20/07/2012 13:35, Poul-Henning Kamp wrote:
> In message <8d6b6668433e8aa7c67601ab9b0f485d.squirrel@arekh.dyndns.org>, "Nicol
> as Mailhot" writes:
>
>> The problem if you do it this way is that:
>> 3. the user agent has no information if it should share the id with
>> another site or not
> Ohh, that's the disconnect:  It should _never_ share the session-id
> with any other site, that's sort of the entire point.
We rather do want sites to share session IDs, actually, so we can do 
easy single-sign-on. At the moment we fairly much only do this within a 
domain, but in the future we might see something like Project Moonshot ( 
http://www.project-moonshot.org/ ) providing single-sign-on for all UK 
academic institutions (this is really useful for cases such as external 
examiners being able to access resources in institutions not their own, 
for example). Of course, we do also want to control how session IDs are 
shared (I don't think it's something I'd want my bank doing!)
Received on Friday, 20 July 2012 12:46:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 12:46:25 GMT