- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 25 Sep 2015 10:14:41 +0000
- To: Yoav Nir <ynir.ietf@gmail.com>
- cc: Amos Jeffries <squid3@treenet.co.nz>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <8F0BC939-B0BD-43F6-AB41-7676B5B94054@gmail.com>, Yoav Nir writes: > >> On Sep 25, 2015, at 12:18 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> >> -------- >> In message <5603745A.7020509@treenet.co.nz>, Amos Jeffries writes: >> >>> Ah. Sorry I seem to have misunderstood yoru meaning of "provides the >>> proof that a server needs to regard the entire session to be authentic" >>> to mean the cert was connection-wide. >> >> I would like to remind people that, contrary to widespread assumptions, >> HTTP doesn't have "sessions". >> >> Sessions are typically implemented by mistaking (groups of) connections >> for a session, or by means of opaque unstandardized cookies. > >Why do you call cookies unstandardized? Cookies are standardized just fine. What I tried to say above is that we don't know which cookie identifies the session. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 25 September 2015 10:15:13 UTC