[Standards] Feedback to Compliance Suites 2020
lists at opkode.com
Wed Oct 9 19:11:49 UTC 2019
On Wed, Oct 09, 2019 at 06:32:12PM +0300, Evgeny wrote:
> On Wed, Oct 9, 2019 at 6:27 PM, Evgeny <xramtsov at gmail.com> wrote:
> > According to such logic this "problem" should be resolved for plain TCP
> > c2s as well. Unless it's not solved we should not kill BOSH.
> Ah, and another question is raising: why actually BOSH allows you to restore
> the session without re-authentication, when XEP-0198 doesn't? Is BOSH a more
> secure transport?
HTTP is short-lived and stateless, so the XMPP server needs to keep the session
alive between requests and also for a certain period of time (usually ~60s)
after it has received the last request.
Because HTTP is stateless, individual requests need to be "authenticated" as
well. This is done with a session token and a continuously incrementing request
token, both of which need to be included per request.
"Restoring" a session means simply making a new request within the timeout
period. Whether the browser tab has been reloaded in the meantime is
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the Standards