- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 13 Jul 2013 21:12:02 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Sam Pullara <spullara@gmail.com>, Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Jul 13, 2013 at 06:43:20PM +0000, Poul-Henning Kamp wrote: > In message <20130713173222.GM32054@1wt.eu>, Willy Tarreau writes: > >On Sat, Jul 13, 2013 at 09:49:42AM -0700, Sam Pullara wrote: > > >I'm sorry, but cookies are *not* evil. > > Cookies are not evil, but they cause problems which HTTP/2.0 does not > need to cause. > > "Automatic EU Cookie directive compliance" would be a really great > selling point. > > >We could possibly support very short cookies (eg: 16 bit). That should be > >enough for most large deployments, and clearly not enough to track users. > > I think it is smarter to both solve the cookie and session problems with > a single field. No problem but we really need the server side to be able to adjust part of this field. If we have a 128-bit session ID whose 16 first bits are preset to zero by the client and may be changed by the server, we can most likely replace the existing cookie system (it will also permit servers to handle some of the duplicates that clients would inevitably cause). Willy
Received on Saturday, 13 July 2013 19:14:00 UTC