Re: Some half-baked thoughts about cookies. from Poul-Henning Kamp on 2018-08-28 (ietf-http-wg@w3.org from July to September 2018)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Tue, 28 Aug 2018 07:20:10 +0000
To: Mike West <mkwst@google.com>
cc: Rigo Wenning <rigo@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, squid3@treenet.co.nz
Message-ID: <23248.1535440810@critter.freebsd.dk>

--------
In message <CAKXHy=d9vHXCtCV1EGs80Was-_VQB42fipEKqyhMiBKa0FQgXw@mail.gmail.com>, Mike West writes:

>> * The session-ID lives and dies with a single "UX session"
>>   (Ie: when the user moves to another site by means exterior
>>   to the shown content, bookmarks, type URL, close tab etc.
>>   the session-ID is thrown away.)
>
>If the user agent supports a transient session mechanism of some sort, then
>yes, I'd expect the identifier to be cycled whenever the user agent
>believes that a "session" has ended. I'm not sure it makes sense to specify
>that in great detail, given the diversity of user agents and their
>propensity to have different ideas about what's best for their users.

I don't know about "great detail", but it is important to make it clear
that browsers SHALL NOT make it persistent across what users think of as sessions.

>If so, I am not opposed to the server sending back a routing-ID to
>> be used for subsequent requests in the same "UX-session" and to
>> be thrown away with the session-ID
>
>Are you intentionally distinguishing "routing-ID" and "session-ID"? If so,
>what is the former?

It's sort of in between what Willy called for in <20180827114546.GA19615@1wt.eu>
and what you have in your point 3 (token provenance).  I might go something like:

	server sends:

		Sec-HTTP-State-Options: ..., route=*UGxlYXNlIHVzZSBlbnRyYW5jZSAjMwo=*

	and the client echoes this in future requests:

		Sec-HTTP-State: token=*...*, route=*UGxlYXNlIHVzZSBlbnRyYW5jZSAjMwo=*

	The client throws the route= token away with the session-id.

This way a CDN can assign you a random(-ish) backend server on first request, and
use the route-ID to make sure all your subsequent requests end there too,
without the CDN having to hold state on all the client session-IDs.

The crucial point is that the client throws this route-id token away with the
equally transient session-id, so the server cannot use it to track you.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Tuesday, 28 August 2018 07:20:39 UTC