- From: David W. Morris <dwm@xpasc.com>
- Date: Mon, 24 Nov 1997 10:34:49 -0800 (PST)
- To: Paul Leach <paulle@microsoft.com>
- Cc: 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, 'Jim Gettys' <jg@w3.org>, 'http-wg' <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
On Mon, 24 Nov 1997, Paul Leach wrote: > How about cookies? I've heard they are useful for tracking state... :-) > > As I understand it: cookie has a magic number in it. Magic number is index > into a table at the server. Table has timeout information. Cookies are one way to maintain state, munged URLs are another. Both are more complex than needed if the client is simply given a timeout. Servers which want more precision or actually require a stateful interaction will of course maintain their own timeouts. But for basic access to a secured set of WEB resources, having the client provide the timing keeps everything simpler. > > > ---------- > > From: David W. Morris[SMTP:dwm@xpasc.com] > > Sent: Monday, November 24, 1997 10:07 AM > > To: Paul Leach > > Cc: 'http-wg'; 'Jim Gettys'; http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com > > Subject: RE: REAUTHENTICATION REQUIRED > > > > My point is that the server HAS NO WAY to perform a timeout on its own > > without someform of state tracking. By providing a timeout to the > > client, the server doesn't need to introduce some other form of > > state management. > > > > On Mon, 24 Nov 1997, Paul Leach wrote: > > > > > How the server does it's timeout is completely up to it, or more > > precisely, > > > up to the application that uses the server. > > > > > > As far as I can tell, the people who want this have quite well formed > > ideas > > > as to how long the timeout should be, so we don't need to include > > > guidelines. > > > > > > As to the second suggestion, which I'll call "2xx Logout", I'm > > agnostic, > > > and await more WG feedback. > > >
Received on Monday, 24 November 1997 10:38:20 UTC