- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 19 Jul 2013 13:06:32 -0500
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mark Nottingham <mnot@mnot.net>, Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jul 19, 2013 at 12:22 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > In message <CAK3OfOiRTw9CMVw88eW1G95t0hx0ZfGitHw2Co4bV-fN2dnv7g@mail.gmail.com> > , Nico Williams writes: >>On Fri, Jul 12, 2013 at 6:44 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >>> I have given a concrete example multiple times, it's very simple: >> >>So you think all session state should always be stored on the server, period? >> >>It's hard to disagree, but I was under the impression that many >>services need to be stateless (storing session state in encrypted >>cookies) for various reasons. > > In the post-EU-regulation, post-PRISM-world, "various reasons" need > to be "Very Good Reasons" for this practice to continue. I'm not sure how any session identifier would survive silly anti-cookie regulations from the EU. A session ID is still a cookie. I don't see how PRISM affects this either. If anything, keeping session state on the server... only helps PRISM: more data to chomp on.
Received on Friday, 19 July 2013 18:06:56 UTC