- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 13 Jul 2013 19:32:22 +0200
- To: Sam Pullara <spullara@gmail.com>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Jul 13, 2013 at 09:49:42AM -0700, Sam Pullara wrote: > This can be (and in many cases is already) solved at any web company big > enough to need to solve it. I'm 100% in favor of using a client generated > session identifier. This would dramatically simplify HTTP/2 in a real way. > Cookies are from another era when building a server-side scalable session > data store was difficult and expensive. I would argue that isn't the case > anymore. Until you are able to shrink the time it takes to synchronize two servers at opposite sides of the world, you'll end up causing delays that are higher than the average RTTs we're trying to get rid of. Not to mention the amount of inter-DC traffic. I'm sorry, but cookies are *not* evil. Some uses of cookies are evil. You don't need to break the web just because of some improper usages. Otherwise you can as well advocate against computers because computers are also used to track people and retrieve a lot of information about them that is not possible to collect by hand. That's simply non-sense. We could possibly support very short cookies (eg: 16 bit). That should be enough for most large deployments, and clearly not enough to track users. But I want to insist that scalable state management is an important piece of the net that we must not break just because it makes us feel better. Willy
Received on Saturday, 13 July 2013 17:34:35 UTC