Re: Some half-baked thoughts about cookies.

On Tue, Aug 28, 2018 at 8:16 AM Poul-Henning Kamp <phk@phk.freebsd.dk>
wrote:

> --------
> In message <1759921.cfu6vzEqSt@hegel>, Rigo Wenning writes:
>
> >I think we should stick to the ID and purpose discussion. Because
> >IMHO and AIAL, this will serve data protection/self determination
> >the most. (Yes I deliberately did not use "privacy").
>
> Having slept on it, I have come to the conclusion that nothing
> is really gained by the client informing the server that a
> given session ID is to be permanent or transient.  Please forget
> that idea.
>
> So just to make sure we are on the same page here:
>
> * The session-ID lives and dies with a single "UX session"
>   (Ie: when the user moves to another site by means exterior
>   to the shown content, bookmarks, type URL, close tab etc.
>   the session-ID is thrown away.)
>

If the user agent supports a transient session mechanism of some sort, then
yes, I'd expect the identifier to be cycled whenever the user agent
believes that a "session" has ended. I'm not sure it makes sense to specify
that in great detail, given the diversity of user agents and their
propensity to have different ideas about what's best for their users.


> * A separate session-ID is used for each server contacted in a "UX
>   session" (ie: www.example.com, img.example.com, example_com.cdn.com
>   gets three different session-ID's)
>

The current proposal is indeed origin-scoped. Each of these hosts wold
receive a distinct value.

If so, I am not opposed to the server sending back a routing-ID to
> be used for subsequent requests in the same "UX-session" and to
> be thrown away with the session-ID
>

Are you intentionally distinguishing "routing-ID" and "session-ID"? If so,
what is the former?

-mike