Re: Session-Id

Vania Joloboff (vania@gr.osf.org)
Fri, 21 Jul 95 17:21:24 +0200

John Franks writes:

> I am honestly puzzled why there seems to be a focus on client initiated
> session-id when server initiated seems to have so many advantages.
> Consider:

> 1. Server initited session-ids won't exist if the server doesn't need
> or want it. Most servers never will want it. Why penalize them.

> 2. Modest amounts of information (e.g. shopping baskets) can be kept
> in the session cookie, i.e. in a *client-side* data base. This scales;
> server-side data bases of session information don't.

> 3. Server initiated session-ids have strictly greater generality.
> In particular, if you *really want* a server side data base you
> can have it using the server supplied cookie as a key.

> 4. New session-ids are automatic when the client switches to a
> different server. Also if the client returns to a previously visited
> server in the same session the session id is restored. This could
> be done with client initiated session-ids also, but I haven't seen
> that in any of the proposals.

I support you for server generated ids.

Moreover, client generated ids may not be unique.
Two independent clients could generate the same id and
confuse the server.

Vania