Re: HTTP router point-of-view concerns

Willy Tarreau <> Sun, 14 July 2013 05:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2742021F9473 for <>; Sat, 13 Jul 2013 22:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VZ6VhBDHh+SP for <>; Sat, 13 Jul 2013 22:51:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C779221F924A for <>; Sat, 13 Jul 2013 22:51:02 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UyFBa-0005CA-9O for; Sun, 14 Jul 2013 05:49:30 +0000
Resent-Date: Sun, 14 Jul 2013 05:49:30 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UyFBP-0005BM-33 for; Sun, 14 Jul 2013 05:49:19 +0000
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UyFBO-0002q5-9q for; Sun, 14 Jul 2013 05:49:19 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r6E5me2M003847; Sun, 14 Jul 2013 07:48:40 +0200
Date: Sun, 14 Jul 2013 07:48:40 +0200
From: Willy Tarreau <>
To: Stephen Farrell <>
Cc: Yoav Nir <>, Poul-Henning Kamp <>, Mark Nottingham <>, Sam Pullara <>, HTTP Working Group <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.0
X-W3C-Hub-Spam-Report: AWL=-3.016, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: 1UyFBO-0002q5-9q b2407acf398f6e9f50c4c4e0efe345aa
Subject: Re: HTTP router point-of-view concerns
Archived-At: <>
X-Mailing-List: <> archive/latest/18762
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Sat, Jul 13, 2013 at 11:40:19PM +0100, Stephen Farrell wrote:
> Its a bit of a moot point I guess but...
> On 07/13/2013 09:24 PM, Yoav Nir wrote:
> > allow it to persist for as long as you want
> I've always been amused that HTTP needs to be able to
> manage state for decades. It'd be truly impressive if
> a browser really managed state that lasts far longer
> than the h/w on either side and probably also longer
> than any piece of n/w kit in between.
> If HTTP/2.0 were to impose an upper bound on cookie
> lifetime of say, a session, that'd be good IMO. But I
> guess that probably would be out of charter, even if
> it'd be a good thing, as it'd break stuff. OTOH, it'd
> arguably be a good thing to leave such stuff behind when
> moving to HTTP/2.0.

I think that *session* cookies are needed, but *permanent* cookies
are mostly used by ads and user tracking, even if a few sites use
them to store user preferences.

One elegant solution would probably be to systematically have UAs
ask end users whenever a cookie is sent to be stored for more than
(say) 24h. Site designers will take care of this because they don't
want to make their site emit warnings that upset end users.

And if the cookie is used to store preferences, it is normal that
the user gives the permission to do that.

Also, we should probably recommend that UAs automatically expire
session cookies after some time (maybe the same delay limit that
is used before emitting a warning). I've dealt with issues where
some smartphone browsers never close and never delete session
cookies, causing the same browser to always go to the same server
past the load balancer. In the end, I had the LB detect those
cookies to fix them!