Re: Linking a cookie to an IP address is a very bad in 2015... from Martin Thomson on 2015-04-02 (ietf-http-wg@w3.org from April to June 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 2 Apr 2015 09:19:35 -0700
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXF72bcAF7STJTwi8c-WmBNWx4GppvW=1HKX7cNX6jWcg@mail.gmail.com>

On 2 April 2015 at 09:11, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> The server can bind state to the TLS
> session; there's no need for an HTTP cookie, if the site is HTTPS
> only.

I always recommend against that.  Connections break.

Received on Thursday, 2 April 2015 16:20:02 UTC