ciseng
commented
4 years ago Made the following text changes - commit 51f08c5f7c33874abe95462e1c4f1daee7c8a1bb "The session state kept at the server MAY include token and its introspection result (for reference tokens) in addition to the MQTT session state. The MQTT session state is identified by the Client identifier and includes state on client subscriptions, QoS 1 and QoS 2 messages which have have not been completely acknowledged or pending transmission to the Client, and if the Session is currently not connected, the time at which the Session will end and Session State will be discarded."
" Note that, according to the MQTT standard, the Broker must use the Client identifier to identify the session state. In the case of a Client identifier collision, a client may take over another client's session. Given that clients provide a token at each connection, clients will only send or receive messages to their authorized topics. Therefore, while this issue is not expected to affect security, it may affect QoS (i.e. PUBLISH or QoS messages saved for Client A may be delivered to a Client B). In addition, if this Client identifier represents a Client already connected to the broker, the broker sends a DISCONNECT packet to the existing Client with Reason Code of '0x8E (Session taken over)', and closes the connection to the client. "
On August 15, Jim commented: Section 2.2.3 - /Clean Start to 0/Clean Start to 0, specify the previous session number/ - I think it should be stated that the session number is provided, which is what the state is associated with.
=> After discussion, it was clarified that session number referred to Client ID.