Re: [hybi] workability (or otherwise) of HTTP upgrade

["Simon Pieters" <simonp@opera.com>]

On Fri, 10 Dec 2010 00:46:34 +0100, John Tamplin <jat@google.com> wrote:

> On Thu, Dec 9, 2010 at 2:42 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>
>> On Thu, Dec 9, 2010 at 11:26 AM, Scott Ferguson <ferg@caucho.com> wrote:
>> > When the draft used GET+Upgrade, servers could reuse things like the  
>> HTTP
>> > authentication, cookie headers, etc., and reuse the existing protocol
>> stack
>>
>> I believe HTTP cookies shouldn't be included in WS, and I'll make that
>> case in time.
>>
>> http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html
>> HTTP cookie is a mess, we don't want to introduce that mess to WS. And
>> even worse, if WS interacts with cookies too, it will add yet another
>> dimension of  complexity to the existing mess. HTTP is connection-less
>> in spirit, WS is connection-ful and stateful in nature, some benefits
>> of cookies to HTTP don't apply to WS. If an app needs to transmit HTTP
>> cookies to WS app, it's easy to do without any help from WS protocol.
>> If we must have a persistent tag for different WS connections from
>> same user, we can introduce a much simpler and cleaner mechanism. But
>> say no to cookies.
>>
>
> The app can't send HTTP-only cookies, since it has no access to them.   
> One
> of the big problems with cookies in HTTP is that you send them on every
> request so they can take up a sizeable percentage of the bandwidth of the
> request, but in WebSockets that isn't a problem.
>
> Whatever cookies shortcomings, they are still being used and there is no
> viable replacement so I don't think we should drop support for them in
> WebSockets.

But what is the use case for cookies in WebSockets? (If it has been  
discussed before then I have missed it and would appreciate pointers.)

-- 
Simon Pieters
Opera Software