> -----Original Message----- > From: regext <regext-boun...@ietf.org> On Behalf Of Mario Loffredo > Sent: Friday, July 8, 2022 2:52 AM > To: Hollenbeck, Scott <shollenbeck=40verisign....@dmarc.ietf.org>; > rwilh...@pir.org; regext@ietf.org > Subject: [EXTERNAL] Re: [regext] Login/Logout Processing (was RE: I-D > Action: draft-ietf-regext-rdap-openid-15.txt) > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content > is safe. > > Hi Scott, > > according to my experience about session management, client and servers > should operate as in the following: > > - Normally, a session/login followed by another session/login should result in > opening a new session on the server with a new session cookie. > > - The server sets the session cookie once the session/login is received, the > client includes the session cookie received from the server in any RDAP > request within the scope of that session including session/refresh, > session/status and finally session/logout. > > - If the client sends any request other than session/login including an > unknown cookie, the server must return an error. > > - If the client sends a session/login request including a cookie, the server > could return an error or ignore the cookie received by the client and hence > provide the client with a new session cookie. To be decided what should be > the server's behaviour in that case. > > - A server can refuse to open a new session after a session/login if a > maximum number of concurrent sessions per user exists and the client > exceeded that limit. This is to prevent servers from resource starvation. > > - A session can be removed by the server due to timeout expiration or > because a maximum session lifetime exists, regardless the fact that the > session ia active, and the session has exceeded that limit. This is to prevent > server from handling inactive sessions and indefinitely opened sessions.
[SAH] Hmm, you're right, Mario. A client could be managing sessions for multiple users, so a login followed by a login probably isn't an error condition unless the second request includes a cookie as you described above. The text needs to address this. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
