On Wed, Oct 09, 2019 at 06:32:12PM +0300, Evgeny wrote: > On Wed, Oct 9, 2019 at 6:27 PM, Evgeny <xramt...@gmail.com> wrote: > > According to such logic this "problem" should be resolved for plain TCP > > c2s as well. Unless it's not solved we should not kill BOSH. > > Ah, and another question is raising: why actually BOSH allows you to restore > the session without re-authentication, when XEP-0198 doesn't? Is BOSH a more > secure transport?
HTTP is short-lived and stateless, so the XMPP server needs to keep the session alive between requests and also for a certain period of time (usually ~60s) after it has received the last request. Because HTTP is stateless, individual requests need to be "authenticated" as well. This is done with a session token and a continuously incrementing request token, both of which need to be included per request. "Restoring" a session means simply making a new request within the timeout period. Whether the browser tab has been reloaded in the meantime is irrelevant.
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________