Re: Introducing a Session header...

On Thu, 19 Jul 2012, Willy Tarreau wrote:

> 
> I would go further, because after some thinking I don't agree with
> the requirement of *a* session header. The web is so stateful nowadays
> that multiple layers generally need their own session information.
> 
> Requests coming from clients to servers sometimes flow across multiple
> places and a single session identifier is not always enough, sometimes
> a few ones need to be provided.
> 
> I think it would be terribly useful to have a session container in which
> we can store one or more session identifiers and that load balancers and
> servers can easily access and manipulate.

It is also critical that any session header concept address the scope of 
applicability of a session identifier so that the user agent can
accurately and efficiently determine whether a particular session
applies to each request. There is a lot of experience embodied in
the our group history re. cookies and authentication, expiration, etc.

I see no reason for a browser generated session id independant of a
server's desire to receive one. And getting the related issues
like scope and expiration solved in a secure way would still seem
to require properties controlled by the server and not the client.

Dave Morris

Received on Thursday, 19 July 2012 22:33:49 UTC