- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 20 Jul 2012 20:34:13 +0000
- To: Phillip Hallam-Baker <hallam@gmail.com>
- cc: James M Snell <jasnell@gmail.com>, Roberto Peon <grmocg@gmail.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Philippe Mougin <pmougin@acm.org>
In message <CAMm+LwgSjS3aEe-e0hyjFAKUbg5ibje1+DKi_75AoYnMZmtJMg@mail.gmail.com> , Phillip Hallam-Baker writes: >Not so long ago it was fairly unusual for someone to have more than >one machine in daily use. Today it is absolutely routine. So that >makes client selected state identifiers rather less useful than server >side [...] What I'd like to see, as the end result, is that by default my browsers will invent a new anonymous session-id for every site I go to. On sites I want to come back to, or want to customize my view or whatever, I check a checkbox on my browsers saying "keep session", which will make the browser always reuse the same session-id for that site. Obviously, my different browsers will use different sesion-ids for the same site, they are random by nature, but if I want it, they will get stable session-id's from all my browsers, and can tie those session-ids to whatever "account" they have on me. If they are smart enough to move the customization settings back to the server, instead of dumping them in cookies in my browser, they will then be able to offer me a consistent view across all my browsers. Should I one day log into the site from an anonymous PC at the library, I will have to authenticate before the site recognizes me. The library's PC will always send anonymous session-ID's, (the checkbox should be removed on shared browsers by the sysadmin) and the server will know not to associate them with my account. The server can still uses the server-side settings to offer me my usual view of the site, but now without polluting the librarys browser with cookies, that will make the next user who goes to the same site look like me. For a lot of the "Hello Samuel B. Kennedy" sort of customized web-pages, this would be all they ever need, and will work better for them than cookies ever did. And these session-ids are _not_ authenticators, the are merely identifiers. The site should use whatever authentication it deems necessary for the traffic it offers. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 20 July 2012 20:34:36 UTC