Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)

Peter Saint-Andre <stpeter@stpeter.im> Wed, 24 February 2010 23:50 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F3DE28C269 for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 15:50:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BP06YwqAejJF for <http-state@core3.amsl.com>; Wed, 24 Feb 2010 15:49:59 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id AD27E28C125 for <http-state@ietf.org>; Wed, 24 Feb 2010 15:49:59 -0800 (PST)
Received: from dhcp-64-101-72-201.cisco.com (dhcp-64-101-72-201.cisco.com [64.101.72.201]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id D920340126; Wed, 24 Feb 2010 16:52:07 -0700 (MST)
Message-ID: <4B85BBA6.7040604@stpeter.im>
Date: Wed, 24 Feb 2010 16:52:06 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <5c4444771002231855s36391fdfgd30a1ebc57722915@mail.gmail.com> <4B84A55E.6000304@stpeter.im> <5c4444771002232011x7ef1a15dj23a5b58357915fa6@mail.gmail.com>
In-Reply-To: <5c4444771002232011x7ef1a15dj23a5b58357915fa6@mail.gmail.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060905030307090100080703"
Cc: http-state@ietf.org
Subject: Re: [http-state] Whether to recommend the cookie protocol (was Re: I-D Action:draft-ietf-httpstate-cookie-04.txt)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2010 23:50:01 -0000

On 2/23/10 9:11 PM, Adam Barth wrote:
> On Tue, Feb 23, 2010 at 8:04 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote:
>> On 2/23/10 7:55 PM, Adam Barth wrote:
>>> On Tue, Feb 23, 2010 at 9:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
>>>> On Tue, 23 Feb 2010 17:15:04 +0100, <Internet-Drafts@ietf.org> wrote:
>>>>> The cookie protocol has many
>>>>> historical infelicities and should be avoided for new applications of
>>>>> HTTP.
>>>>
>>>> What exactly does this mean?
>>>
>>> It means that we don't think new applications of HTTP (e.g., SIP)
>>> should use the cookie protocol.  Cookies have caused significant
>>> security problems for the web.  For new applications, it's probably a
>>> good idea to use another state management mechanism.
>>
>> Could you explain the sense in which SIP is an application of HTTP?
> 
> Oh, I could be using the wrong terminology here.  How would you
> describe the relation between SIP and HTTP?

As far as I can see, there is none, which is why I'm confused. SIP is a
non-web, non-HTTP technology. The same is true of XMPP. Now, some
non-web, non-HTTP technologies have bindings to HTTP, often achieved
using long polling (this is true of XMPP, whose "BOSH" technology is
used to emulate TCP connections via long polling over HTTP). In that
case the HTTP binding might use cookies but typically does not. But
natively a technology like SIP or XMPP is utterly distinct from HTTP.

>> I'm
>> trying to understand which of the following best captures what you are
>> saying:
>>
>> 1. Non-web technologies SHOULD NOT use cookies but instead SHOULD define
>> their own application-specific methods for state management.
>>
>> 2. Non-web technologies that define bindings to HTTP (e.g., the HTTP
>> binding for XMPP defined in [BOSH]) SHOULD NOT use cookies even within
>> such a binding but instead SHOULD define their own application-specific
>> methods for state management.
> 
> I'm not sure what the difference between these options is. 

It might be a distinction without a difference. See above on HTTP
bindings vs. native modes for technologies like SIP and XMPP.

> I'm not
> sure we should recommend application-specific state management.
> Instead, we should aim for a general-purpose HTTP state management
> mechanism that doesn't suck (in phase two, of course).

Right, but are we aiming for a general-purpose state management
mechanism or a general-purpose *HTTP* state management mechanism? If the
former, we're designing for SIP and XMPP and FTP and Gopher and SMTP and
HTTP and any other application-level technology. If the latter then the
job is much easier (though still hard).

Do we really need to say anything about non-HTTP technologies in an
informational document on HTTP state management? It's not clear to me
that we do.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/