Hi, On Mon, Jun 25, 2012 at 2:26 PM, Jukka Zitting <[email protected]> wrote: > By default the HTTP binding could simply use a fresh new session for > each HTTP request, but it should be possible for a client to request a > longer-lived session for more complex content modifications (import, > batch jobs, etc.) or for getting a stable snapshot for larger reads > (export, query, etc.) that shouldn't change while reading. I was > thinking of handling such cases by allowing the client to generate > such a session with a specific POST request that responds with a > redirect to a temporary session URL that exposes the normal content > tree as seen through that session. We'd use a lease mechanism to > control the lifetime of such server-side sessions.
As a nice extra benefit, such a solution gives us effective protection against CSRF attacks if we require that all writes need to go through such sessions, with the session URL acting as a token that the potential attacker can't access or use. BR, Jukka Zitting
