Re: Introducing a Session header...

On Thu, 19 Jul 2012, David Morris wrote:

> On Thu, 19 Jul 2012, Willy Tarreau wrote:
> > 
> > I would go further, because after some thinking I don't agree with
> > the requirement of *a* session header. The web is so stateful nowadays
> > that multiple layers generally need their own session information.
> > 
> > Requests coming from clients to servers sometimes flow across multiple
> > places and a single session identifier is not always enough, sometimes
> > a few ones need to be provided.
> > 
> > I think it would be terribly useful to have a session container in which
> > we can store one or more session identifiers and that load balancers and
> > servers can easily access and manipulate.
> It is also critical that any session header concept address the scope of 
> applicability of a session identifier so that the user agent can
> accurately and efficiently determine whether a particular session
> applies to each request. There is a lot of experience embodied in
> the our group history re. cookies and authentication, expiration, etc.
> I see no reason for a browser generated session id independant of a
> server's desire to receive one. And getting the related issues
> like scope and expiration solved in a secure way would still seem

Also, proxies should also be able to assign 'session' identifiers
with sufficient scope identity what such identifiers could be
reliabily removed before forwarding the next request to an
origin server.

Received on Thursday, 19 July 2012 22:54:22 UTC