Introducing a Session header...

In several of the ongoing discussions there has been mention of the need
for a Session header to replace the use of Cookies for basic session
management. For HTTP/2.0, this seems like a straight forward and smart
thing to do. To start it off, let's define a new header whose value is a
variable length token.

Within HTTP/1.1, it would be something like "Session:
some-random-string-of-letters"

If we go with the current SPDY header structure, the header name should be
something like ":session".

If we ended up using the binary encoded headers I've suggested, the session
could be encoded as:
  [0, 10, 1, 0, 29, 's', 'o', 'm', 'e', ... ]

The semantics would be simple: the Session header can be set by the Client
or Server and communicates the Session identifier for the Stream. Each
Stream can have exactly one Session identifier. The current Session
identifier in a stream can be changed by sending a new Session header. To
resume a session, the Session header would be added to the SYN_STREAM.

Obviously this does nothing to address the security issues but it, at the
very least, should help us to reduce the reliance on cookies.

- James

Received on Tuesday, 17 July 2012 22:48:53 UTC