- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Thu, 19 Jul 2012 23:01:20 +0000
- To: HTTP Working Group <ietf-http-wg@w3.org>
In message <alpine.LRH.2.01.1207191524030.19187@egate.xpasc.com>, David Morris writes: >I see no reason for a browser generated session id independant of a >server's desire to receive one. And getting the related issues >like scope and expiration solved in a secure way would still seem >to require properties controlled by the server and not the client. We are not talking about properties, only about identity of the session. It should be the user, and only the user who decides when a session starts and ends, so it has to be the user-agent which controls the session-id. The server is of course free to ignore the session-id from the client, and implement its own concept of a session. But HTTP/1.x lacks a way for the user to communicate his intent with respect to sessions, and we should remedy that in HTTP/2.0 -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 19 July 2012 23:01:43 UTC