Re: Introducing a Session header... from Poul-Henning Kamp on 2012-07-20 (ietf-http-wg@w3.org from July to September 2012)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 20 Jul 2012 20:34:13 +0000
To: Phillip Hallam-Baker <hallam@gmail.com>
cc: James M Snell <jasnell@gmail.com>, Roberto Peon <grmocg@gmail.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Philippe Mougin <pmougin@acm.org>
Message-ID: <24231.1342816453@critter.freebsd.dk>

In message <CAMm+LwgSjS3aEe-e0hyjFAKUbg5ibje1+DKi_75AoYnMZmtJMg@mail.gmail.com>
, Phillip Hallam-Baker writes:

>Not so long ago it was fairly unusual for someone to have more than
>one machine in daily use. Today it is absolutely routine. So  that
>makes client selected state identifiers rather less useful than server
>side [...]

What I'd like to see, as the end result, is that by default my
browsers will invent a new anonymous session-id for every site I
go to.

On sites I want to come back to, or want to customize my view or
whatever, I check a checkbox on my browsers saying "keep session",
which will make the browser always reuse the same session-id for
that site.

Obviously, my different browsers will use different sesion-ids for
the same site, they are random by nature, but if I want it, they
will get stable session-id's from all my browsers, and can
tie those session-ids to whatever "account" they have on me.

If they are smart enough to move the customization settings back
to the server, instead of dumping them in cookies in my browser,
they will then be able to offer me a consistent view across
all my browsers.

Should I one day log into the site from an anonymous PC at
the library, I will have to authenticate before the site
recognizes me.

The library's PC will always send anonymous session-ID's, (the
checkbox should be removed on shared browsers by the sysadmin) and
the server will know not to associate them with my account.

The server can still uses the server-side settings to offer me my
usual view of the site, but now without polluting the librarys
browser with cookies, that will make the next user who goes
to the same site look like me.

For a lot of the "Hello Samuel B. Kennedy" sort of customized
web-pages, this would be all they ever need, and will work
better for them than cookies ever did.

And these session-ids are _not_ authenticators, the are merely
identifiers.  The site should use whatever authentication it
deems necessary for the traffic it offers.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 20 July 2012 20:34:36 UTC