Skip to content

Instantly share code, notes, and snippets.

@fbender
Last active August 29, 2015 14:27
Show Gist options
  • Save fbender/b2b434c24149be4417c0 to your computer and use it in GitHub Desktop.
Save fbender/b2b434c24149be4417c0 to your computer and use it in GitHub Desktop.
[Strawman] Proposal for HTTP Session & User Identification (Persistence)

Goals

  • specify use cases of session management and persistence
  • identify use cases of Cookies not concerning session management and persistence
  • allow a website to act as an identity broker for other websites, (optionally?) factoring in OpenID/Persona/etc.
  • replace Cookies with more user control and enhanced privacy (e.g. allow use case 1 below)
  • find a technical solution for the EU Cookie Law resp. its goal
  • propose HTTP Session & User Identification as an HTTP/2 extension (allow Cookie Upgrading?)
  • propose HTTP Session & User Identification as a replacement for Cookies in HTTP/3
  • the spec behaviour should be (largely) polyfill-able via Service Workers, i.e. user agent complies with spec even though it natively does not (requires complying server)
  • the spec behaviour should be integrated into popular web servers (mostly as extensions, for now)

Requirements

  • allow user agents and/or servers to announce support for HTTP Session & User Identification, e.g. via Cookie "upgrading" (minimally necessary announcement) [for HTTP/2 goal]
  • allow user agents to control session creation (optional: with the option to deny session creation?)
  • allow user agents to control session lifetime
  • allow user agents to control session ID setting [optional] (via ID mangling / bit flipping)
  • allow servers to identify a user's browsing sessions (session tracking)
  • allow servers to specify a max. session lifetime
  • allow servers to set or propose [optional, see above] a session ID
  • allow user agents to control (session) persistence (e.g. denying persistence creation)
  • allow user agents to control (session) persistence lifetime
  • allow user agents to propose a persistence ID
  • allow servers to announce a broker for managing identity recognition (session persistence)
  • allow servers to propose identity recognition (session persistence) to identify a previous visitor (orthogonal to session tracking)
  • allow servers to specify a max. persistence lifetime
  • allow servers to control persistence ID setting (via bit flipping)

Note: Generally, IDs should be proposed by the client (user agent) and can only be modified by the server in a limited way (e.g. last 5 bits) to avoid collisions.

Use Cases

  1. transient sessions

    • tracker T advertises on site A and site B
    • user U visits A
    • T and U negiotate session ID1 for U
    • U visits B
    • T and U negotiate session ID2 for U

    --> session IDs across origins should differ

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment