Re: [whatwg] Proposal: HTTP Headers + sessionStorage stored session-ID from Kyle Simpson on 2013-12-06 (public-whatwg-archive@w3.org from December 2013)

From: Kyle Simpson <getify@gmail.com>
Date: Sat, 7 Dec 2013 09:18:20 +1100
To: whatwg@lists.whatwg.org
Message-Id: <6EB2CC0F-3B88-491E-85F7-46E1E9098465@gmail.com>

> On Thu, 31 Oct 2013, Kyle Simpson wrote:
>> 
>> Session cookies are preserved at the browser-level, which means they are 
>> kept around for the lifetime of the browser instance. sessionStorage, 
>> OTOH, is kept only for the lifetime of the tab. In many respects, this 
>> makes sessionStorage more desirable for session-based tracking.
>> 
>> 2. As a consequence of #1, the most pertinent difference is 
>> sessionStorage based session-IDs being attached to an individual tab 
>> rather than the browser. This means if I open up two tabs to the same 
>> site, and I use session cookies, then both tabs share the same session 
>> (can be useful or can be very annoying).
>> 
>> But with a sessionStorage based approach, the two tabs have two entirely 
>> separate sessions and operate independently. They can share storage 
>> through localStorage, if so desired, and even communicate with 
>> StorageEvents. But they can be separate if they want by relying on 
>> sessionStorage.
>> 
>> In particular, #2 is a big win (IMO) for session-based architecture (as 
>> well as UX) and I often now design my systems with this particular 
>> behavior intentionally relied upon.
> 
> I've filed this bug to track this problem:
> 
>   https://www.w3.org/Bugs/Public/show_bug.cgi?id=24024
> 
> If any implementors want to implement this and thus would like this 
> specced, please do comment on the bug.

Thanks for filing, Ian.

For the sake of brevity of the list, I've tried to explain the motiviations behind my proposal a little more clearly, both in that bug, and in this part of my recent blog post:

http://blog.getify.com/tale-of-two-ends/#proposal-hope

----------

One further point I have not specifically called out in those previous posts: in some jurisdictions, like Europe, apparently cookies (even session cookies!?) are illegal unless you specifically declare that you're using them.

I don't know all the details on what that includes or not, but I've been told by a few people in Europe that (session) cookies are frowned upon, whereas tracking things in sessionStorage (which automatically is sandboxed to the host and automatically goes away after the tab closes) is more preferable and more "legal". :)

--Kyle

Received on Friday, 6 December 2013 22:18:49 UTC