W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: HTTP router point-of-view concerns

From: Nico Williams <nico@cryptonector.com>
Date: Fri, 19 Jul 2013 13:32:59 -0500
Message-ID: <CAK3OfOgRWzvj+-XfDLw8zX_=Kd_qQWXXEuhp-_1fcLZfYqyo8Q@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jul 19, 2013 at 1:19 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> In message <CAK3OfOjSjPXZhA5TvTn8nuJgu9V_wGE81LRz5axfFuifjymj7w@mail.gmail.com>
> , Nico Williams writes:
>
>>I'm not sure how any session identifier would survive silly
>>anti-cookie regulations from the EU.  A session ID is still a cookie.
>
> Read the actual regulation ?

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:NOT

?

My point stands.  How is a *any* session identifier different from a
cookie?  The only differences might relate to how they might leak to
third parties.

>>I don't see how PRISM affects this either.  If anything, keeping
>>session state on the server... only helps PRISM: more data to chomp on.
>
> It means that any random computer I use to access a given service is
> not polluted with bit-droppings saying I did so.

How do you know when you're done using it that it's not still holding
on to your at-one-time open sessions?  Here there is a somewhat useful
answer: you could ask the service [from another device that you do
trust] to close those sessions.

Session logout is an important feature to have (though in all cases we
have to trust the server).
Received on Friday, 19 July 2013 18:33:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC