I am honestly puzzled why there seems to be a focus on client initiated
session-id when server initiated seems to have so many advantages.
1. Server initited session-ids won't exist if the server doesn't need
or want it. Most servers never will want it. Why penalize them.
2. Modest amounts of information (e.g. shopping baskets) can be kept
in the session cookie, i.e. in a *client-side* data base. This scales;
server-side data bases of session information don't.
3. Server initiated session-ids have strictly greater generality.
In particular, if you *really want* a server side data base you
can have it using the server supplied cookie as a key.
4. New session-ids are automatic when the client switches to a
different server. Also if the client returns to a previously visited
server in the same session the session id is restored. This could
be done with client initiated session-ids also, but I haven't seen
that in any of the proposals.
John Franks Dept of Math. Northwestern University email@example.com