<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE bugzilla SYSTEM "https://www.w3.org/Bugs/Public/page.cgi?id=bugzilla.dtd">

<bugzilla version="5.0.4"
          urlbase="https://www.w3.org/Bugs/Public/"
          
          maintainer="sysbot+bugzilla@w3.org"
>

    <bug>
          <bug_id>16739</bug_id>
          
          <creation_ts>2012-04-13 22:28:18 +0000</creation_ts>
          <short_desc>Should the format of Session ID be more strictly defined?</short_desc>
          <delta_ts>2012-12-07 01:25:49 +0000</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>1</classification_id>
          <classification>Unclassified</classification>
          <product>HTML WG</product>
          <component>Encrypted Media Extensions</component>
          <version>unspecified</version>
          <rep_platform>All</rep_platform>
          <op_sys>All</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>FIXED</resolution>
          
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords></keywords>
          <priority>P3</priority>
          <bug_severity>normal</bug_severity>
          <target_milestone>---</target_milestone>
          
          
          <everconfirmed>1</everconfirmed>
          <reporter name="David Dorwin">ddorwin</reporter>
          <assigned_to name="Mark Watson">watsonm</assigned_to>
          <cc>eric.carlson</cc>
    
    <cc>mike</cc>
    
    <cc>petr</cc>
    
    <cc>philipj</cc>
    
    <cc>public-html-media</cc>
    
    <cc>public-html-wg-issue-tracking</cc>
    
    <cc>scherkus</cc>
          
          <qa_contact name="HTML WG Bugzilla archive list">public-html-bugzilla</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>66715</commentid>
    <comment_count>0</comment_count>
    <who name="David Dorwin">ddorwin</who>
    <bug_when>2012-04-13 22:28:18 +0000</bug_when>
    <thetext>v0.1 does not give much guidance on the format of Session ID strings. [1]

Should the format of Session ID be more strictly defined or is anything other than null and &quot;&quot; valid? Would restricting allowed formats make application and server implementation easier?

Possible items for discussion:
 * Does the string need to represent a number? If so must it be positive, decimal/hex, etc.?
 * When may IDs be reused, if at all?
 * Must values increase or can they be random?
 * How unique must they be? Per page? Per renderer? Across the system?

[1] http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html#session-id</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>72932</commentid>
    <comment_count>1</comment_count>
    <who name="Adrian Bateman [MSFT]">adrianba</who>
    <bug_when>2012-08-28 21:18:34 +0000</bug_when>
    <thetext>Assigning to Mark. We should enforce greater uniqueness for systems that support key release. Mark will also investigate if any other restrictions are useful beyond key release.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>74555</commentid>
    <comment_count>2</comment_count>
    <who name="Mark Watson">watsonm</who>
    <bug_when>2012-09-26 16:10:48 +0000</bug_when>
    <thetext>I suggest we place no requirements on the SessionID other than that it must be unique within the browsing session (right term ?).

If proof of key release is supported we add the additional requirement that it be unique for this browser instance. This is the wrong term, but what I mean is the same thing that owns Local Storage, say. An application could then create a globally unique session Id by storing a unique &apos;browser instance id&apos; in Location Storage and combining this with the session id. Anyone know the correct term ?.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>77306</commentid>
    <comment_count>3</comment_count>
    <who name="Mark Watson">watsonm</who>
    <bug_when>2012-10-29 16:51:16 +0000</bug_when>
    <thetext>I believe the correct terms would be &quot;browsing context&quot; if secure proof of key release is not supported or &quot;origin&quot; if it is.

Proposal: add the following text to Section 1.2.3:

&quot;Each SessionID shall be unique within the browsing context in which it was created. If secure proof of key release is supported each Session ID shall be unique within the origin. Note that this last requirement implies that Session IDs shall be unique over time including across browsing sessions.&quot;</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>79588</commentid>
    <comment_count>4</comment_count>
    <who name="Mark Watson">watsonm</who>
    <bug_when>2012-12-07 00:01:48 +0000</bug_when>
    <thetext>http://dvcs.w3.org/hg/html-media/rev/96098ab59a59</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>