Re: HTTP router point-of-view concerns

Yoav Nir <> Fri, 12 July 2013 19:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B5F721F9D7C for <>; Fri, 12 Jul 2013 12:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.554
X-Spam-Status: No, score=-10.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2yqBbnMQRmCt for <>; Fri, 12 Jul 2013 12:49:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D501321F9C60 for <>; Fri, 12 Jul 2013 12:49:51 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UxjLN-0002xp-Ln for; Fri, 12 Jul 2013 19:49:29 +0000
Resent-Date: Fri, 12 Jul 2013 19:49:29 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UxjLF-0002w0-KK for; Fri, 12 Jul 2013 19:49:21 +0000
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1UxjLE-0007vD-4z for; Fri, 12 Jul 2013 19:49:21 +0000
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r6CJkk8C018659; Fri, 12 Jul 2013 22:46:47 +0300
X-CheckPoint: {51E05D26-0-1B221DC2-1FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Fri, 12 Jul 2013 22:46:46 +0300
From: Yoav Nir <>
To: Willy Tarreau <>
CC: Poul-Henning Kamp <>, Mark Nottingham <>, Sam Pullara <>, James M Snell <>, Martin Thomson <>, Amos Jeffries <>, HTTP Working Group <>
Thread-Topic: HTTP router point-of-view concerns
Date: Fri, 12 Jul 2013 19:46:46 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11dc4f62663d382bc5fd24294d5f2e6131806c8fff
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-0.798, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.303, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1UxjLE-0007vD-4z 1207fadc26576113437c2379308af140
Subject: Re: HTTP router point-of-view concerns
Archived-At: <>
X-Mailing-List: <> archive/latest/18735
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>


This thread has forked to discussing session management. I'd like to call your attention to the fact that in the past, this working group was considered too busy with HTTP/2.0 to spend time on things like session management or HTTP authentication schemes. For this reason it was suggested that the WebSec working group work on session management. 

Right now, on the WebSec mailing list ([1]) there is a thread ([2]) about taking on this work. Being engineers, the discussion there is veering towards solutions before there's even an agreed-upon problem statement, but that's besides the point. If you are interested in defining an alternative to session management based on session cookies, please subscribe ([3]) to the WebSec mailing list and say so. 




On Jul 12, 2013, at 3:56 PM, Willy Tarreau <> wrote:

> Hi Poul-Henning,
> On Fri, Jul 12, 2013 at 11:44:55AM +0000, Poul-Henning Kamp wrote:
>> In message <>, Mark Nottingham wri
>> tes:
>>> This has been brought up a number of times. I think what we need is a =
>>> concrete proposal *with* a detailed plan for a workable transition to =
>>> the new mechanism -- which seems to be the (or at least one) sticking =
>>> point whenever this comes up.
>> I have given a concrete example multiple times, it's very simple:
>> 	The client always sends along a session-identifier of N (128?)
>> 	bits.
>> 	If the first bit is zero, this is an anonymous, transient
>> 	session, not (to be) associated with any other session.
>> 	If the first bit is one, this is a persistent session
>> 	identifier, which the server can use to look up any relevant
>> 	state or information from previous instances of this
>> 	session, in its local database.
>> 	This replaces the Cookie: and Set-Cookie: headers, which
>> 	SHALL NOT be sent in the HTTP/2.0 protocol.
>> Advantages:
>> 	We get a fixed size session-identifier for HTTP routers to
>> 	use for flow-routing.
>> 	We get an actual (client controlled) session-concept, rather
>> 	than all sorts of ad-hoc simulations with cookies.
>> 	Data with privacy-concerns are stored on the server not on
>> 	random clients the user happens to borrow or use.
>> 	The overhead of encrypting and signing the data in cookies
>> 	is avoided, since they are stored on the server side where
>> 	nobody can fudge them.
>> Backwards compatibility:
>> 	It should be obvious that simulating the Cookie concept for
>> 	framework compatibility on the server side is a trivial
>> 	matter of programming:  Rather than send set-cookies, write
>> 	them to a database, indexed by the session-id.  Rather than
>> 	receive Cookie: headers, look them up in the database.
>> There, solved.
> Not really in fact. While I tend to generally agree with the points
> you make for scalability, this one does not scale. One of the big
> benefits of cookies is that client is responsible for synchronizing
> information between multiple servers *if needed*. When you're building
> an architecture using anycast DNS + ECMP + L4 load balancers to reach
> your servers, you can't predict if a client will come back to the same
> place to retrieve its context, and having the ability to make it hold
> *some* data is really useful.
> If you store everything on server-side, you're forced to synchronize
> everything between all servers of all datacenters because you don't
> even know where your client will go with next hit, let alone parallel
> requests. And this is clearly not possible on many of the platforms
> where both of our products are deployed to achieve connection rates
> in the 6 digits.
> So there *is* some use to store data on the client, it's just that it
> has been long abused to store session identifiers because it was the
> only mechanism available.
> While I'd like to see a simple session management system (like the one
> you propose maybe, even if it does not cover the case of low entropy
> client devices), I don't want to see the cookies disappear. I just want
> to be able to rely on session ID without having to parse cookies when
> that's not needed.
> Regards,
> Willy