RE: Cookies from Jones, Matthew on 2001-08-27 (xml-dist-app@w3.org from August 2001)

From: Jones, Matthew <MJones@NetSilicon.com>
Date: Mon, 27 Aug 2001 08:02:27 -0700
To: "'xml-dist-app@w3.org'" <xml-dist-app@w3.org>
Message-ID: <AD77174F26BFD411BE7B00508BFDF562108A22@newbury.netsilicon.com>

Francis writes:
>What I'd like to see would be a standard for achieving the same
>productivity in a transport-independent way. I'm not an expert in the
>implementation of cookies, but I'll suggest a possibly adequate solution
>to fuel discussion. Servers should be allowed to return in a header a
>session element with optional key, actor and expire attributes, and
>optional any content - something like:
>
>	<xs:complexType name="SessionType">
>		<xs:sequence>
>			<xs:any minOccurs="0" maxOccurs="unbounded"/>
>		</xs:sequence>
>		<xs:attribute name="sessionId" type="xs:hexBinary"
use="required"/>
>		<xs:attribute name="actor" type="xs:anyURI"/>
>		<xs:attribute name="expire" type="xs:dateTime"/>
>	</xs:complexType>
>
>	<xs:element name="Session" type="env:SessionType"/>
>
>...with some standard behaviour: all cookies are uniquely keyed by actor
>(explicit or default) and sessionId. They can be made to live beyond a
>conversation by specifying an expire date (or time). Opening a
>conversation to a SOAP host would pick up any long-life cookies for that
>host and include them in the header. During the conversation only
>cookies fresh from the server get returned to the server. The server can
>update a cookie by sending it back with the same sessionId but different
>contents. It can delete a cookie by sending it back with a back-dated
>expire date. It can ignore cookies by not sending them back.
>
>Then add a fault message for "could not resume conversation", and I
>think you would have a very satisfactory solution that would get used.

This sounds like a good suggestion however I'd like to add some
considerations.  
First normally cookies have a domain, which is the set of sites to return
the
cookies to.  For example by default if you went to the site www.cnn.com and
got 
a cookie then you would return the cookie to anything ending in cnn.com.
You
can change this (or just make it explicit which is often the case) by
setting the
domain field.  I'd wonder how this would apply to the SOAP paradigm.  Also
you
can send more than one cookie, I'd assume you can send more than one
Session.  Finally
how would the browser reply would it just return the sessionId?

Matthew Jones
mjones@netsilicon.com

P.S. I'm new to the list.

Received on Monday, 27 August 2001 11:02:59 UTC