[Standards] Feedback to Compliance Suites 2020

JC Brand lists at opkode.com
Thu Oct 10 07:52:08 UTC 2019


On Wed, Oct 09, 2019 at 10:24:54PM +0300, Evgeny wrote:
> On Wed, Oct 9, 2019 at 10:20 PM, Evgeny <xramtsov at gmail.com> wrote:
> > I still doubt this is anyhow more secure than session resumption in
> > XEP-0198 (which btw requires real re-authentication).
> 
> Let me explain: using BOSH to bypass restriction of XEP-0198 (namely, SASL
> re-authentication) doesn't justify usage of BOSH, in my opinion. Such
> explanation looks really weird, to say the least.

You're arguing against a point nobody made.

Nobody advocated using BOSH to bypass restrictions in XEP-0198.
The issue Georg mentioned isn't due to anything in XEP-0198.

The issue is with the SASL anonymous login mechanism not allowing you to
reconnect with the same JID, which happens **before** trying to resume a
XEP-0198 session.

At least this is the case with Prosody, I haven't tested on other servers.

With websocket the connection and session immediately drop when you reload
the page and if you used anonymous login, you will then need a way to
reconnect and then re-establish your previous session. You can't however
because SASL anon doesn't allow you to reuse your same JID.

With BOSH you don't have this problem because the XMPP server keeps the session
alive between requests, so you're not re-establishing an old session, you're
just sending a new request to the original session.

Therefore with BOSH you can reload the page and still maintain your anonymous
session while with websocket you can't.

Non-web clients don't have this problem because their connections are
long-lived. With websocket-using web-clients your connection can be terminated
at any time when the user reloads the tab.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20191010/b08ab23a/attachment.sig>


More information about the Standards mailing list