Re: Session-Id

John Franks writes:

> I am honestly puzzled why there seems to be a focus on client initiated
> session-id when server initiated seems to have so many advantages.
> Consider:

> 1. Server initited session-ids won't exist if the server doesn't need
> or want it.  Most servers never will want it.  Why penalize them.

> 2. Modest amounts of information (e.g. shopping baskets) can be kept
> in the session cookie, i.e. in a *client-side* data base.  This scales;
> server-side data bases of session information don't.

> 3. Server initiated session-ids have strictly greater generality.
> In particular, if you *really want* a server side data base you
> can have it using the server supplied cookie as a key.

> 4. New session-ids are automatic when the client switches to a
> different server.  Also if the client returns to a previously visited
> server in the same session the session id is restored.  This could
> be done with client initiated session-ids also, but I haven't seen
> that in any of the proposals.

I support you for server generated ids.

Moreover, client generated ids may not be unique.
Two independent clients could generate the same id and
confuse the server.


Received on Friday, 21 July 1995 11:23:31 UTC