Re: Linking a cookie to an IP address is a very bad in 2015...

On Thu, Apr 2, 2015 at 11:47 AM, Martin Thomson
<> wrote:
> On 2 April 2015 at 09:39, Zhong Yu <> wrote:
>> The new connection will like reuse the same TLS session[1]. The
>> browser is not required to do that, but from my tests,
>> firefox/IE/chrome on Windows apparently do.
> Only if you hit the same server in the cluster, or the cluster has
> shared resumption AND session state.

But a session-id cookie will have the same problems.

We could embed all session data in a fat cookie, but I don't think
that's a common practice.

> HTTP is a message-based
> protocol, binding state to a connection has to be regarded as an
> optimization only.

Received on Thursday, 2 April 2015 16:51:35 UTC