This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
v0.1 does not give much guidance on the format of Session ID strings. [1] Should the format of Session ID be more strictly defined or is anything other than null and "" valid? Would restricting allowed formats make application and server implementation easier? Possible items for discussion: * Does the string need to represent a number? If so must it be positive, decimal/hex, etc.? * When may IDs be reused, if at all? * Must values increase or can they be random? * How unique must they be? Per page? Per renderer? Across the system? [1] http://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html#session-id
Assigning to Mark. We should enforce greater uniqueness for systems that support key release. Mark will also investigate if any other restrictions are useful beyond key release.
I suggest we place no requirements on the SessionID other than that it must be unique within the browsing session (right term ?). If proof of key release is supported we add the additional requirement that it be unique for this browser instance. This is the wrong term, but what I mean is the same thing that owns Local Storage, say. An application could then create a globally unique session Id by storing a unique 'browser instance id' in Location Storage and combining this with the session id. Anyone know the correct term ?.
I believe the correct terms would be "browsing context" if secure proof of key release is not supported or "origin" if it is. Proposal: add the following text to Section 1.2.3: "Each SessionID shall be unique within the browsing context in which it was created. If secure proof of key release is supported each Session ID shall be unique within the origin. Note that this last requirement implies that Session IDs shall be unique over time including across browsing sessions."
http://dvcs.w3.org/hg/html-media/rev/96098ab59a59