Re: Session-ID proposal

Dave Kristol ([email protected])
Mon, 21 Aug 95 10:27:03 EDT


David Morris <[email protected]> wrote on Sun, 20 Aug 1995 17:38:17 -0700 (PDT):

> I must have missed something ... if I build an application which needs
> session like control, I have a real hard time believing that I would
> find any intermediate caching (as in proxy) acceptable. Providing a
> mechanism where any arbitrary user could retrieve information cached
> from a session-id based connection seems like an unnecessary exposure
> of semi-private information.

Yes, you missed some of the discussion on these mailing lists. I agree
that pages that contain user-specific information, such as the current
contents of a shopping basket, are inherently uncachable. But I
contend that it's possible to design a cache-friendly application where
most of the pages are cachable, if you accept that State-Info (my
proposal, http://www.research.att.com/~dmk/session.html) is passed
through intermediaries without becoming part of cache state.

The example I use is a shopping basket application. A vendor shows you
a product description page that has, on the bottom, a link to "My
Current Shopping Basket". The product description page is generic, if
you assume that the link is really to a CGI that eats the accompanying
State-Info and spits back a display of your current basket. So the
product description itself can be cached. Furthermore, because
State-Info should not be cached, the semi-private information is no
more exposed than it otherwise would be for passing through
intermediaries.
>
> On Mon, 14 Aug 1995, Jim Seidman wrote:
>
> > [...]
> > Given these considerations, and the slowly increasing use of "Expires"
> > headers, State-Info could be expensive indeed.

One of Jim's objections was to my (erroneous) assumption that caching
proxies routinely do GET I-M-S to the origin server, so sending
State-Info was cheap. If S-I can't piggy-back with I-M-S, I agree S-I
adds expense. And because Expires is being sent more often, proxies
send I-M-S less often.
>
> Hence, I would contend State-Info will have little impact since
> caching would/should be disabled in most contexts where State-Info
> applies.
Perhaps. There's still value in not shipping the entire document,
however.

Dave Kristol