Re: [w3ctag/design-reviews] Scheme-bound Cookies (#483)

Regarding the deployment phase, one of the issues is sites that share cookies between HTTP and HTTPS for directing a client to the same backend in a LB. I wonder if the recent changes to deprecate TLS 1.0 and 1.1 could give us details on what would break as unattended. It is likely that such sites, if indeed not taken care of, might not work at all with the new minimum TLS settings. Otherwise, the site can indeed be updated to accommodate that change.

Also introducing a new `Sec-Nonsecure-Cookie` would require updates to old sites to accommodate them, redirecting everything to https would be a better move for them than handling a new cookie header.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/483#issuecomment-603914986

Received on Wednesday, 25 March 2020 15:44:06 UTC