- From: Patrick McManus <pmcmanus@mozilla.com>
- Date: Fri, 12 Jul 2013 08:59:30 -0400
- To: Christian Parpart <trapni@gmail.com>
- Cc: Michael Sweet <msweet@apple.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>, Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAOdDvNot=0ir9095ffQW14j5AbaCL5WQwUWGmH9v3a05mFf_nA@mail.gmail.com>
cookies and user agents, while very redundant, are not 100% consistent between transactions. Especially in proxying scenarios, but other places too. And even if we removed those, a request header would still be ~300 bytes - which is just too big to support the many dozens of subresources that commonly make up a page today in one rtt. I understand some of the frustration, but this is something we've seen work and imo is necessary to enable the fundamental muxxing changes http/2 presents. On Fri, Jul 12, 2013 at 8:47 AM, Christian Parpart <trapni@gmail.com> wrote: > On Fri, Jul 12, 2013 at 2:40 PM, Michael Sweet <msweet@apple.com> wrote: > >> Then just add the User-Agent and Server values to the settings frames the >> client and server exchange? >> > > if it would be *that* simple, then dont' forget the cookie and the > user-agent. > > >> Sent from my iPad >> >> On 2013-07-12, at 7:44 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> >> > In message <CD9E163F-1225-4DA8-9982-8BDBD16B1051@mnot.net>, Mark >> Nottingham wri >> > tes: >> > >> >> This has been brought up a number of times. I think what we need is a = >> >> concrete proposal *with* a detailed plan for a workable transition to = >> >> the new mechanism -- which seems to be the (or at least one) sticking = >> >> point whenever this comes up. >> > >> > I have given a concrete example multiple times, it's very simple: >> > >> > The client always sends along a session-identifier of N (128?) >> > bits. >> > >> > If the first bit is zero, this is an anonymous, transient >> > session, not (to be) associated with any other session. >> > >> > If the first bit is one, this is a persistent session >> > identifier, which the server can use to look up any relevant >> > state or information from previous instances of this >> > session, in its local database. >> > >> > This replaces the Cookie: and Set-Cookie: headers, which >> > SHALL NOT be sent in the HTTP/2.0 protocol. >> > >> > Advantages: >> > >> > We get a fixed size session-identifier for HTTP routers to >> > use for flow-routing. >> > >> > We get an actual (client controlled) session-concept, rather >> > than all sorts of ad-hoc simulations with cookies. >> > >> > Data with privacy-concerns are stored on the server not on >> > random clients the user happens to borrow or use. >> > >> > The overhead of encrypting and signing the data in cookies >> > is avoided, since they are stored on the server side where >> > nobody can fudge them. >> > >> > Backwards compatibility: >> > >> > It should be obvious that simulating the Cookie concept for >> > framework compatibility on the server side is a trivial >> > matter of programming: Rather than send set-cookies, write >> > them to a database, indexed by the session-id. Rather than >> > receive Cookie: headers, look them up in the database. >> > >> > There, solved. >> > >> > Again. >> > >> > -- >> > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >> > phk@FreeBSD.ORG | TCP/IP since RFC 956 >> > FreeBSD committer | BSD since 4.3-tahoe >> > Never attribute to malice what can adequately be explained by >> incompetence. >> > >> >> >
Received on Friday, 12 July 2013 12:59:57 UTC