On Wed, Oct 09, 2019 at 10:24:54PM +0300, Evgeny wrote: > On Wed, Oct 9, 2019 at 10:20 PM, Evgeny <xramt...@gmail.com> wrote: > > I still doubt this is anyhow more secure than session resumption in > > XEP-0198 (which btw requires real re-authentication). > > Let me explain: using BOSH to bypass restriction of XEP-0198 (namely, SASL > re-authentication) doesn't justify usage of BOSH, in my opinion. Such > explanation looks really weird, to say the least.
You're arguing against a point nobody made. Nobody advocated using BOSH to bypass restrictions in XEP-0198. The issue Georg mentioned isn't due to anything in XEP-0198. The issue is with the SASL anonymous login mechanism not allowing you to reconnect with the same JID, which happens **before** trying to resume a XEP-0198 session. At least this is the case with Prosody, I haven't tested on other servers. With websocket the connection and session immediately drop when you reload the page and if you used anonymous login, you will then need a way to reconnect and then re-establish your previous session. You can't however because SASL anon doesn't allow you to reuse your same JID. With BOSH you don't have this problem because the XMPP server keeps the session alive between requests, so you're not re-establishing an old session, you're just sending a new request to the original session. Therefore with BOSH you can reload the page and still maintain your anonymous session while with websocket you can't. Non-web clients don't have this problem because their connections are long-lived. With websocket-using web-clients your connection can be terminated at any time when the user reloads the tab.
Description: PGP signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________