> I am honestly puzzled why there seems to be a focus on client initiated
> session-id when server initiated seems to have so many advantages.
> Consider:
> 1. Server initited session-ids won't exist if the server doesn't need
> or want it. Most servers never will want it. Why penalize them.
> 2. Modest amounts of information (e.g. shopping baskets) can be kept
> in the session cookie, i.e. in a *client-side* data base. This scales;
> server-side data bases of session information don't.
> 3. Server initiated session-ids have strictly greater generality.
> In particular, if you *really want* a server side data base you
> can have it using the server supplied cookie as a key.
> 4. New session-ids are automatic when the client switches to a
> different server. Also if the client returns to a previously visited
> server in the same session the session id is restored. This could
> be done with client initiated session-ids also, but I haven't seen
> that in any of the proposals.
I support you for server generated ids.
Moreover, client generated ids may not be unique.
Two independent clients could generate the same id and
confuse the server.
Vania