Re: HTTP router point-of-view concerns

Yoav Nir <ynir@checkpoint.com> Sat, 13 July 2013 20:26 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D309C21F8651 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 13 Jul 2013 13:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.557
X-Spam-Level:
X-Spam-Status: No, score=-10.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqrQkCTT2qh6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 13 Jul 2013 13:26:03 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA0B21F8618 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 13 Jul 2013 13:26:03 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uy6NX-0001gC-BS for ietf-http-wg-dist@listhub.w3.org; Sat, 13 Jul 2013 20:25:15 +0000
Resent-Date: Sat, 13 Jul 2013 20:25:15 +0000
Resent-Message-Id: <E1Uy6NX-0001gC-BS@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ynir@checkpoint.com>) id 1Uy6NN-0001ew-01 for ietf-http-wg@listhub.w3.org; Sat, 13 Jul 2013 20:25:05 +0000
Received: from smtp.checkpoint.com ([194.29.34.68]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <ynir@checkpoint.com>) id 1Uy6NL-0004ba-KU for ietf-http-wg@w3.org; Sat, 13 Jul 2013 20:25:04 +0000
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6DKOQ30020135; Sat, 13 Jul 2013 23:24:26 +0300
X-CheckPoint: {51E1B779-1-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Sat, 13 Jul 2013 23:24:25 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
CC: Mark Nottingham <mnot@mnot.net>, Sam Pullara <spullara@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: HTTP router point-of-view concerns
Thread-Index: AQHOfcCOZ2fHYp9biUaCEWX0LISz35leleMAgAAFrACAABKEAIAAzZcAgAAKzQCAAAHDAIAA5EwAgAAGJQCAAEn9gIAAE/4AgAByqACAAL9KgIAA3YiA
Date: Sat, 13 Jul 2013 20:24:24 +0000
Message-ID: <29B4ED34-8A7F-477F-AC80-47BC2205198F@checkpoint.com>
References: <CA+qvzFPUpcm6kUtJx+rTw8Dpp4Gtx4Bmr3XPDhjNsjchUfN9_w@mail.gmail.com> <51DE1E32.9010801@treenet.co.nz> <CAP+FsNdcYhA=V5Z+zbt70b5e7WmcmXgjG5M9L3vfXeXfTwmRnw@mail.gmail.com> <51DE327C.7010901@treenet.co.nz> <CABkgnnXeqD6wh0dcJ1Dz=4PLAJNkDeGcCuzMr9ATd_7xS7nbGQ@mail.gmail.com> <CABP7RbcUkLf3CTAB4jwicnsiKWLGVY6=hX0k=0256SR_gcVt9A@mail.gmail.com> <092D65A8-8CB7-419D-B6A4-77CAE40A0026@gmail.com> <3835.1373612286@critter.freebsd.dk> <CD9E163F-1225-4DA8-9982-8BDBD16B1051@mnot.net> <1772.1373629495@critter.freebsd.dk> <20130712125628.GC28893@1wt.eu> <22115082-53F8-433C-9497-755800803B93@checkpoint.com> <2101.1373699489@critter.freebsd.dk>
In-Reply-To: <2101.1373699489@critter.freebsd.dk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.84]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 112b5b9391dcbcbcb2b2257087c6b5c94b06de79ba
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <FBEDB7D3EB069545AD2FF5D78584E6EC@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: pass client-ip=194.29.34.68; envelope-from=ynir@checkpoint.com; helo=smtp.checkpoint.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: AWL=-0.851, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01
X-W3C-Scan-Sig: maggie.w3.org 1Uy6NL-0004ba-KU f8f85c0dbf77d3799409335531a98ebf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP router point-of-view concerns
Archived-At: <http://www.w3.org/mid/29B4ED34-8A7F-477F-AC80-47BC2205198F@checkpoint.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18753
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Jul 13, 2013, at 10:11 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

> In message <22115082-53F8-433C-9497-755800803B93@checkpoint.com>, Yoav Nir writ
> es:
> 
>> This thread has forked to discussing session management. I'd like to call 
>> your attention to the fact that in the past, this working group was consider
>> ed too busy with HTTP/2.0 to spend time on things like session management
>> or HTTP authentication schemes. For this reason it was suggested that the 
>> WebSec working group work on session management. 
> 
> Then just call it a "flow-routing-label" here, and let WebSec figure
> out for themselves that it can also be used as a session identifier.
> 
> There's no need to let procedural overhead get in the way of good ideas.

It's more than procedural. Whatever is wrong with the use of cookies to manage sessions is wrong in HTTP/1.x just as much as it is in /2.0.

There will come a day when we can say that HTTP/1.1 is only for legacy applications, and that it's fine to make sweeping changes only in HTTP/2.0 (or perhaps introduce them in HTTP/3.0). That day is not today, and if we're going to fix it, we might as well fix it in 1.0 as well.

Your proposal (http://lists.w3.org/Archives/Public/ietf-http-wg/2013JulSep/0284.html) includes prohibiting cookies on HTTP/2.0. This directly conflicts with this working group's goal of creating a protocol that is a drop-in replacement for HTTP/1.1. If I have a web application running on an Apache server that makes use of cookies to handle session management, I can't just install modhttp2, add a line in the config file and have everything continue to work. I would have to do significant work to make my website work with HTTP/2.0. If we accept your proposal, this would be an impediment to deploying HTTP/2.0.

So I think that a new session management scheme is something that should be orthogonal to HTTP version, and should be a separate work item. This is regardless of whether that work item belongs in httpbis or in websec. 

It should also be noted that you're missing two requirements from session management:
 1. That the session be bound to an authenticated identity.
 2. That users won't have to authenticate too often.

This is easy to accomplish with cookies: you set the cookie when the user authenticates, and you allow it to persist for as long as you want. I'm not sure how this can be accomplished by a session identifier chosen by the UA.

Yoav