-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/30/09 2:02 PM, Mike Cumings wrote: > Peter, > > Would this not require an addition to XEP-0124 to specify the explicit > handling of cookie headers?
Yes, it would. > I'm thinking specifically of the > following text in XEP-0124 section 5: > > "Requests and responses MAY include HTTP headers not specified herein. > The receiver SHOULD ignore any such headers" > > As-is, XEP-0124 specifies that the incoming "Set-Cookie" header be > ignored, not reflected back to the CM in the "Cookie" header on > subsequent requests. When Ian Paterson took over maintenance of XEP-0124 from Dave Smith, he was adamant that we support the most minimal subset of browsers (or even HTTP user agents). While that was a laudable goal, it's not clear to me that we need to be so stringent nowadays. > If cookies are to be used, perhaps some additional specification > language could be added with respect to not requiring support for > cookie expiration? I'd have to dig into the cookie spec a bit to > verify this would be possible but I'm hoping it would allow the > content of the "Set-Cookie" header to be blindly reflected back in > subsequent requests without the client explicitly having to parse the > cookie header value (and thereby have to implicitly also support the > cookie spec) when the client does not implicitly support cookies > (e.g., the client does not reside in a browser). Yes, that seems reasonable. > One final note - the load balancer would need to be given knowledge of > the BOSHSESSIONID variable before it would operate as desired. > SESSIONID, being in standard use, would work out of the box. Do intermediaries look for "SESSIONID" specifically? I'm not an HTTP expert, but it's my understanding that different application servers use different cookie names -- JSESSIONID, PHPSESSID, and so on. I don't think that they all use "SESSIONID" but I might be wrong about that. /psa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrDyJ4ACgkQNL8k5A2w/vxdkQCfRyis47lS7W94hBaVpUwAelIi hucAn1QlGnJHm3aOIlmcW5iLyLBUrdi2 =g4ud -----END PGP SIGNATURE-----
