Re: Linking a cookie to an IP address is a very bad in 2015... from Martin Thomson on 2015-04-02 (ietf-http-wg@w3.org from April to June 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 2 Apr 2015 09:47:33 -0700
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUtb-SAE5yqZhHn-ZqsQW1uC4pCLRs4k4+JQjwTN1H09w@mail.gmail.com>

On 2 April 2015 at 09:39, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> The new connection will like reuse the same TLS session[1]. The
> browser is not required to do that, but from my tests,
> firefox/IE/chrome on Windows apparently do.

Only if you hit the same server in the cluster, or the cluster has
shared resumption AND session state.  HTTP is a message-based
protocol, binding state to a connection has to be regarded as an
optimization only.

Received on Thursday, 2 April 2015 16:47:59 UTC