W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Re: Session-Id

From: John Franks <john@math.nwu.edu>
Date: Fri, 21 Jul 1995 11:09:51 -0500 (CDT)
Message-Id: <199507211609.LAA03008@hopf.math.nwu.edu>
To: koen@win.tue.nl (Koen Holtman)
Cc: john@math.nwu.edu, www-talk@w3.org
According to Koen Holtman:
> John Franks:
> >3. Server initiated session-ids have strictly greater generality.
> >In particular, if you *really want* a server side data base you
> >can have it using the server supplied cookie as a key.
> 
> They have no greater generality at all as far as I know.  Could you
> give an example?
> 

Everything which can be done with client-initiated session-ids can
be done with server initiated session-ids.  The server can issue a
random number as session-id and treat it as if it were issued by the client.

The reverse is not true.  There is no way to do any client-side data
bases (like the Netscape implementation of shopping baskets) with
server initiated session-ids.  Similar functionality might be achieved
with a server-side data base, but not as cleanly (the server has no
way of knowing when the session ends).  In any case, the possible 
*implementations* with server initiated are strictly more general.

You can argue that client initiated session-id is easier to implement in
the client, but the only existing implementation in a client (of which
I am aware) is server-side initiated.

John Franks
Received on Friday, 21 July 1995 12:12:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:17 GMT