- From: Jim Manico <jim@manico.net>
- Date: Thu, 2 Apr 2015 10:09:19 -0700
- To: Zhong Yu <zhong.j.yu@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Embedding session data in a fat cookie is actually •very• common in stateless REST architectures. Encrypt and sign those cookies as well. -- Jim Manico @Manicode (808) 652-3805 > On Apr 2, 2015, at 9:51 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote: > > On Thu, Apr 2, 2015 at 11:47 AM, Martin Thomson > <martin.thomson@gmail.com> wrote: >> On 2 April 2015 at 09:39, Zhong Yu <zhong.j.yu@gmail.com> wrote: >>> The new connection will like reuse the same TLS session[1]. The >>> browser is not required to do that, but from my tests, >>> firefox/IE/chrome on Windows apparently do. >> >> Only if you hit the same server in the cluster, or the cluster has >> shared resumption AND session state. > > But a session-id cookie will have the same problems. > > We could embed all session data in a fat cookie, but I don't think > that's a common practice. > >> HTTP is a message-based >> protocol, binding state to a connection has to be regarded as an >> optimization only. >
Received on Thursday, 2 April 2015 17:09:59 UTC