On Wed, Oct 09, 2019 at 06:32:12PM +0300, Evgeny wrote:
> On Wed, Oct 9, 2019 at 6:27 PM, Evgeny <xramt...@gmail.com> wrote:
> > According to such logic this "problem" should be resolved for plain TCP
> > c2s as well. Unless it's not solved we should not kill BOSH.
> 
> Ah, and another question is raising: why actually BOSH allows you to restore
> the session without re-authentication, when XEP-0198 doesn't? Is BOSH a more
> secure transport?

HTTP is short-lived and stateless, so the XMPP server needs to keep the session
alive between requests and also for a certain period of time (usually ~60s)
after it has received the last request.

Because HTTP is stateless, individual requests need to be "authenticated" as
well. This is done with a session token and a continuously incrementing request
token, both of which need to be included per request.

"Restoring" a session means simply making a new request within the timeout
period. Whether the browser tab has been reloaded in the meantime is
irrelevant.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org
_______________________________________________

Reply via email to