[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsrp] What is the symetrical method for initCookie?
1) producer will not know when to throw away the session cookie. In the absence of a releaseCookies operation, the only time a producer knows when to kill the user session is when a logged in user's http session expires. This, in my opinion, is a problem. We have seen cases where customers bump up the session expiry times to large periods. This happens mostly in non-shared machine environments and there are valid reasons for it. In such situations, if the system just depends on the session expiry times and not the user logging out, the webserver runs out of memory due to the orphaned sessions. Essentially, we need someway for the consumer to tell the producer that a user has logged out. It doesn't really matter that it is a releaseCookie call or just a userLogout call -- something that can help the producer identify and cleanup the unneeded resources. This is needed with or without the initCookie i.e. even if a system doesn't set cookies but uses url re-writing to maintain sessions. In any non-trivial system, producers will have resources tied up to a logged in user. As Ricky wrote, this opens the system up to denial of service attacks, even without the attacks the system can run out of memory if the expiry times are large as I stated above. This and security were the main reasons why logouts were invented in the first place. The main question is whether WSRP which is an application protocol be handling this or should this be handled by something like WS-Security. What are your thoughts on that? "Rich Thompson" <richt2@us.ibm.co To: wsrp@lists.oasis-open.org m> cc: (bcc: Khurram Mahmood/PeopleSoft) Subject: Re: [wsrp] What is the symetrical method for initCookie? 07/14/2004 11:37 AM When this was discussed, it was decided that a releaseCookies() was not needed since 1) the Producer may throw cookies away at any time it desires and 2) initCookie() was only placed into the protocol due to the unique initialization needs of clustered servers (and viewed by most as a pollution of the protocol!). Rich ricky_frost@peoplesoft.com 07/14/2004 02:21 PM To wsrp@lists.oasis-open.org cc Subject [wsrp] What is the symetrical method for initCookie? It seems that unless there is a method like "releaseCookie" won't the producer be open to DoS attack, or more likely just running out of resources on a busy server. Thanks To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]