I like Mridul's idea of better implementation notes -- what else would that section include?
Peter Mridul Muralidharan wrote:
Hi Ian, Since we recommend https, I am not really sure how useful this will be.But for http case, do we need to specify this in the main spec itself (it is a impl-deploy decision) ? Cookie handling is covered by http on top of which 124 is built.Maybe an informational xep for 124 would be a good idea where all the implementation hints could be included (including impl hints on http, recommended version related mapping). So that the core specs are free of these details and only document the protocol.Regards, Mridul Ian Paterson wrote:Bill Bishop pointed out off-list that BOSH (XEP-0124) currently does not enable off-the-shelf (hardware) HTTP load balancers to be used. Such load balancers know about 'Set-Cookie' and 'Cookie' HTTP headers, but not about BOSH 'sid' attributes.A small optional addition to the protocol will allow the "Cookie Passive Sticky" or "Cookie Insert Sticky" modes of hardware load balancers to be employed to distribute a connection manager's load amoungst a cluster of machines. I propose adding something like the following two paragraphs to XEP-0124:"Some connection managers may choose to employ "off-the-shelf" "sticky session" HTTP load balancers. To enable such load balancing, a connection manager MAY include a "real server ID" value in an HTTP "Set-Cookie" header (see RFC 2965) in its Session Creation Response. The value MAY be the same as the 'sid' attribute of the <body/> element of the response. If a client receives a "Set-Cookie" header from the connection manager then it SHOULD treat the value as opaque, and set the value of the HTTP "Cookie" header of all its subsequent HTTP requests during the session to the value it received in the "Set-Cookie" header. If a connection manager receives a Session Creation Request that includes a "Cookie" header then it SHOULD ignore the value of the cookie.""Note that clients running in restricted environments may not be able to read and/or set HTTP cookies, worse, some platforms or network components remove cookie-related headers. A connection manager SHOULD NOT rely on a client being able to return a cookie with each request."Thoughts? - Ian
smime.p7s
Description: S/MIME Cryptographic Signature
