Re: Session-Id

According to Koen Holtman:
> John Franks:
> >3. Server initiated session-ids have strictly greater generality.
> >In particular, if you *really want* a server side data base you
> >can have it using the server supplied cookie as a key.
> They have no greater generality at all as far as I know.  Could you
> give an example?

Everything which can be done with client-initiated session-ids can
be done with server initiated session-ids.  The server can issue a
random number as session-id and treat it as if it were issued by the client.

The reverse is not true.  There is no way to do any client-side data
bases (like the Netscape implementation of shopping baskets) with
server initiated session-ids.  Similar functionality might be achieved
with a server-side data base, but not as cleanly (the server has no
way of knowing when the session ends).  In any case, the possible 
*implementations* with server initiated are strictly more general.

You can argue that client initiated session-id is easier to implement in
the client, but the only existing implementation in a client (of which
I am aware) is server-side initiated.

John Franks

Received on Friday, 21 July 1995 12:12:07 UTC