Re: Stateful compression of cookies (Re: Delta Compression and UTF-8 Header Values)

On Mon, Feb 11, 2013 at 11:39 AM, Nico Williams <nico@cryptonector.com>wrote:

> On Mon, Feb 11, 2013 at 10:07 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>
> wrote:
> >>It's not just the disk space, but also the need to fetch it and the
> >>need to distribute it across related servers.  Using the client to do
> >>this has some benefits.
> >
> > ... for the server, yes.
> >
> > And a lot of disadvantages for the client, such as not having your
> > context coming along to a different computer, privacy, bandwidth etc.
>
> Bandwidth costs can be addressed by having the server cache its state,
> using the client only to rebuild that state when it gets pushed out of
> the cache (e.g., due to client idle time).
>
> As for privacy, encrypted state cookies do not compromise privacy any
> more than random session IDs.
>
> Nico
> --
>


I should have made this clear earlier, there should be only two types of
cookie-type data:

Authentication tokens - which only go over the wire exactly once.

Encrypted state tokens - which only the server should be able to decrypt.



-- 
Website: http://hallambaker.com/

Received on Monday, 11 February 2013 16:44:49 UTC