Re: Introducing a Session header...

In message <20120719213630.GA20313@1wt.eu>, Willy Tarreau writes:
>On Thu, Jul 19, 2012 at 08:48:01PM +0000, Poul-Henning Kamp wrote:

>I think it would be terribly useful to have a session container in which
>we can store one or more session identifiers and that load balancers and
>servers can easily access and manipulate.

At this point I would like to defer to card-carrying cryptographers,
because while I think nobody but the client should be allowed to
define/change the session identifier, in order to shut out spoofing
of it, I don't trust my own analysis of this question to be definitive.

I do think it would be terribly useful if the session-id was client
originated and contained a anon/specific-authenticated-user bit,
because that would warn the server about public PCs etc.  So even
if we don't do the session-id, I think I would advocate that bit
on its own.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Thursday, 19 July 2012 22:36:35 UTC