Re: Session-Id

Previous messages by
	John Franks,
and	Vania Joloboff, <>
prompt me to dredge up my old proposal from April 18, 1995, which echoes
what John has said:

    I think the basic technique should work as follows:
    1) The server is free to return (or not) to the client a SessionID
    response header.
    2) The client should (but need not, particularly to provide
    compatibility with existing clients) send a SessionID request header to
    a given host.  The header should be whatever SessionID header the
    client last got from that host, independent of the URLs requested.
    3) The content and meaning of the SessionID header are opaque to the

    One problem with this proposal is what should proxies do with
    SessionID?  Here's one proposal.  Don't use SessionID as part of the
    cache key.  If a document is in the cache, return it, and reflect back
    to the client any SessionID sent by the client.  If the document is not
    in the cache, pass through any SessionID.

The user can set the client not to return SessionIDs if privacy is a

As was pointed out in April, my proposal is much the same as Netscape's
cookies, except I think it's lighter weight.  The client doesn't have
to interpret the Session IDs any further than to know to return what it
last got from a host it's about to revisit.  The server can incorporate
in the opaque value any time dependencies and interpret them accordingly.
Nearly all of the smarts concerning the Session ID would reside in the
server, which is where I think they belong.  The client merely has to
choose to be cooperative.

Dave Kristol

Received on Friday, 21 July 1995 12:25:01 UTC