W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Introducing a Session header...

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Thu, 19 Jul 2012 23:01:20 +0000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <19915.1342738880@critter.freebsd.dk>
In message <alpine.LRH.2.01.1207191524030.19187@egate.xpasc.com>, David Morris 

>I see no reason for a browser generated session id independant of a
>server's desire to receive one. And getting the related issues
>like scope and expiration solved in a secure way would still seem
>to require properties controlled by the server and not the client.

We are not talking about properties, only about identity of the session.

It should be the user, and only the user who decides when a session
starts and ends, so it has to be the user-agent which controls the

The server is of course free to ignore the session-id from the client,
and implement its own concept of a session.

But HTTP/1.x lacks a way for the user to communicate his intent
with respect to sessions, and we should remedy that in HTTP/2.0

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 19 July 2012 23:01:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:03 UTC