Re: HTTP router point-of-view concerns

On Fri, Jul 19, 2013 at 1:19 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> In message <CAK3OfOjSjPXZhA5TvTn8nuJgu9V_wGE81LRz5axfFuifjymj7w@mail.gmail.com>
> , Nico Williams writes:
>
>>I'm not sure how any session identifier would survive silly
>>anti-cookie regulations from the EU.  A session ID is still a cookie.
>
> Read the actual regulation ?

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:NOT

?

My point stands.  How is a *any* session identifier different from a
cookie?  The only differences might relate to how they might leak to
third parties.

>>I don't see how PRISM affects this either.  If anything, keeping
>>session state on the server... only helps PRISM: more data to chomp on.
>
> It means that any random computer I use to access a given service is
> not polluted with bit-droppings saying I did so.

How do you know when you're done using it that it's not still holding
on to your at-one-time open sessions?  Here there is a somewhat useful
answer: you could ask the service [from another device that you do
trust] to close those sessions.

Session logout is an important feature to have (though in all cases we
have to trust the server).

Received on Friday, 19 July 2013 18:33:24 UTC