- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Thu, 19 Jul 2012 22:36:13 +0000
- To: Willy Tarreau <w@1wt.eu>
- cc: Philippe Mougin <pmougin@acm.org>, HTTP Working Group <ietf-http-wg@w3.org>, James Snell <jasnell@gmail.com>
In message <20120719213630.GA20313@1wt.eu>, Willy Tarreau writes: >On Thu, Jul 19, 2012 at 08:48:01PM +0000, Poul-Henning Kamp wrote: >I think it would be terribly useful to have a session container in which >we can store one or more session identifiers and that load balancers and >servers can easily access and manipulate. At this point I would like to defer to card-carrying cryptographers, because while I think nobody but the client should be allowed to define/change the session identifier, in order to shut out spoofing of it, I don't trust my own analysis of this question to be definitive. I do think it would be terribly useful if the session-id was client originated and contained a anon/specific-authenticated-user bit, because that would warn the server about public PCs etc. So even if we don't do the session-id, I think I would advocate that bit on its own. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 19 July 2012 22:36:35 UTC