[Standards] Feedback to Compliance Suites 2020

JC Brand lists at opkode.com
Wed Oct 9 19:11:49 UTC 2019


On Wed, Oct 09, 2019 at 06:32:12PM +0300, Evgeny wrote:
> On Wed, Oct 9, 2019 at 6:27 PM, Evgeny <xramtsov at gmail.com> wrote:
> > According to such logic this "problem" should be resolved for plain TCP
> > c2s as well. Unless it's not solved we should not kill BOSH.
> 
> Ah, and another question is raising: why actually BOSH allows you to restore
> the session without re-authentication, when XEP-0198 doesn't? Is BOSH a more
> secure transport?

HTTP is short-lived and stateless, so the XMPP server needs to keep the session
alive between requests and also for a certain period of time (usually ~60s)
after it has received the last request.

Because HTTP is stateless, individual requests need to be "authenticated" as
well. This is done with a session token and a continuously incrementing request
token, both of which need to be included per request.

"Restoring" a session means simply making a new request within the timeout
period. Whether the browser tab has been reloaded in the meantime is
irrelevant.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20191009/f575621b/attachment.sig>


More information about the Standards mailing list