- From: Nico Williams <nico@cryptonector.com>
- Date: Fri, 19 Jul 2013 13:32:59 -0500
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mark Nottingham <mnot@mnot.net>, Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jul 19, 2013 at 1:19 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > In message <CAK3OfOjSjPXZhA5TvTn8nuJgu9V_wGE81LRz5axfFuifjymj7w@mail.gmail.com> > , Nico Williams writes: > >>I'm not sure how any session identifier would survive silly >>anti-cookie regulations from the EU. A session ID is still a cookie. > > Read the actual regulation ? http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:NOT ? My point stands. How is a *any* session identifier different from a cookie? The only differences might relate to how they might leak to third parties. >>I don't see how PRISM affects this either. If anything, keeping >>session state on the server... only helps PRISM: more data to chomp on. > > It means that any random computer I use to access a given service is > not polluted with bit-droppings saying I did so. How do you know when you're done using it that it's not still holding on to your at-one-time open sessions? Here there is a somewhat useful answer: you could ask the service [from another device that you do trust] to close those sessions. Session logout is an important feature to have (though in all cases we have to trust the server).
Received on Friday, 19 July 2013 18:33:24 UTC