- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Tue, 14 Aug 2018 12:07:21 +0000
- To: Mike West <mkwst@google.com>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <CAKXHy=d6EaSO-SKRTEVDWfBcgf_FoFBj2gN4xmrR5q79yxSpXw@mail.gmail.com>, Mike West writes: >https://github.com/mikewest/http-state-tokens suggests that we should >introduce a client-controlled, origin-bound, HTTPS-only session identifier >for network-level state management. And eventually deprecate cookies. Well, pretty much exactly what I proposed early in the HTTP/2 cycle, so I'm all for it. I would dedicate the top bit of the session-id, still under client control, to tell the server if this should be considered a ephemeral or persistent session, to make it easier for the server to garbage collect state. If the top bit is zero, this session is ephemeral and when the browser leaves, the session ceases to exist. UX wise this would typically be browsing in "private mode" or if "do not track" is set. If the top bit is one, the user allows this session to be persistent across visits to the site, aka enabling "Leave me logged in" etc. Poul-Henning PS: 64 bits is not enough for everybody, in particularly not when they are randomly generated by less than perfect implementations. Make then 128 bit from the start. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Tuesday, 14 August 2018 12:08:06 UTC