Re: Stateful compression of cookies (Re: Delta Compression and UTF-8 Header Values) from Phillip Hallam-Baker on 2013-02-11 (ietf-http-wg@w3.org from January to March 2013)

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Mon, 11 Feb 2013 11:44:21 -0500
To: Nico Williams <nico@cryptonector.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Zhong Yu <zhong.j.yu@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAMm+LwhuONV6CYmR+byQeP1emLx15Nf1SK4yh4U2pXiF-=8sYQ@mail.gmail.com>

On Mon, Feb 11, 2013 at 11:39 AM, Nico Williams <nico@cryptonector.com>wrote:

> On Mon, Feb 11, 2013 at 10:07 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>
> wrote:
> >>It's not just the disk space, but also the need to fetch it and the
> >>need to distribute it across related servers.  Using the client to do
> >>this has some benefits.
> >
> > ... for the server, yes.
> >
> > And a lot of disadvantages for the client, such as not having your
> > context coming along to a different computer, privacy, bandwidth etc.
>
> Bandwidth costs can be addressed by having the server cache its state,
> using the client only to rebuild that state when it gets pushed out of
> the cache (e.g., due to client idle time).
>
> As for privacy, encrypted state cookies do not compromise privacy any
> more than random session IDs.
>
> Nico
> --
>


I should have made this clear earlier, there should be only two types of
cookie-type data:

Authentication tokens - which only go over the wire exactly once.

Encrypted state tokens - which only the server should be able to decrypt.



-- 
Website: http://hallambaker.com/

Received on Monday, 11 February 2013 16:44:49 UTC