Deze website maakt gebruik van cookies.
Als je deze website browst dan ga je akkoord dat wij cookies gebruiken voor onze gebruikersstatieken, facebook en twitter.

Ibuildings - Web & Mobile App Development

Toggle Menu
June 29th, 2011 by admin

[Mark van der Velden]A world without cookies

Imagine a world wide web without cookies. And this might not be the strangest thing, since the use of cookies is severely limited since Wednesday the 22nd of June 2011 in the Netherlands. And more countries will follow: http://www.bbc.co.uk/news/technology-12668552

The Law 

The (Dutch) law, that requires a user to agree before storing data, doesn’t only apply on HTTP cookies. But in fact any kind of data that is stored on the users computer. Such as; HTML5 storage, flash cookies. But also desktop applications, etc.. The law also states that cookies “required” for certain functionality, are allowed without confirmation. Personally I don’t see how anything will change, with this exception in place. And I wonder how many experts were involved into making this law. But that is a subject for another article perhaps…

What are cookies

Cookies are little packages of information stored in the browser of a website visitor, they can contain “small” amounts of data such as an identifiable token or a user preference.

What purpose do cookies serve

Cookies are very generic and can be used for many things, good and bad. The most popular probably being tracking your activity and advertisement. But they are also used to keep a state between requests and to store a preference. Such as “remember me” at a login form, or perhaps “no I do not want to participate in your survey”.

Cookie problems

If When the law becomes international, you are potentially violating laws by simply calling something like: setcookie() without the users consent. There are hacks around the typical HTTP cookies, by using flash cookies for example (Oh and btw, here a guide on how to clear those: http://www.macromedia.com/…ngs_manager07.html). And possibly HTML5 storage could play a role here (or any of it’s derivatives).

Another thing that has been happening, is visitor awareness and thus browser features. More and more people block cookies to stop advertisement tracking, but unfortunately this also prevents a user to use the features he or she wants to use (such as login sessions, etc.). There is an answer for this and quite a few browser vendor’s plan on implementing the “Do Not Track” (http://donottrack.us/) feature, or have already done so. But I’m not too happy with it. The downside of “Do Not Track” is that it’s voluntary for website owners and advertisement companies to respect this feature. Other tools include projects such as “Ad Blocker”, that only block cookies (and more) for advertisement purposes. It works pretty good, but that is hardly user-friendly.

But, back to “no more cookies”… How do you solve the problem of keeping a state between requests over a stateless protocol?

Some ideas 

Well in short, I have some ideas but definitely no real answers. I don’t think there is a real answer just yet.

Let’s take the example of a login session. Where you want to offer a secure section to your visitors, where they can (e.g.) read their e-mail, privately. A few things come to mind:

  1. Identifying yourself in every relevant request, using headers for example or an argument &userId=42 in the request. This however has some big problems on its own.
  2. Digest authentication on every relevant request.
  3. Take a look at other technologies, such as IPv6 and move authentication to a lower level.
  4. Perhaps use a commit and rollback system. Where you can do a variety of actions and only your password will be asked in the end, either applying or discarding your actions. Requiring you only to enter your login once. Not the most ideal solution for e-mail though, I have to admit. With this system you would re-post your data to next screens in a similar fashion as e.g. a wizard.
  5. Or perhaps we need to move away from complete server-side applications and move to the client, Javascript applications and use the HTTP spec a little better as it was intended and only have web-services.
Many, if not all, of the things I mentioned above would require secure connections (SSL/TLS) to avoid other security problems. Which might not be a bad move anyway.
Personally I think that there is a future, in an improved implementation of digest authentication over SSL. One that uses HMAC and stronger algorithms, SSL would then supply the missing server validation feature. It should also be more strict and not fall back to insecure legacy features.

Conclusion

All in all I firmly believe that the browser should play a big role in this new cookie recipe and should (partially) solve these problems. Also there should be a more clear separation between “generic storage” and authentication versus a simulated persistency. In more perfect world I would vote for a solution that works on other (underlying) layers and make it application agnostic.
 
I suppose the point I’m trying to make with this article is the following: Take away a feature the entire world uses (since 1996), and wait for the brilliant and creative minds, perhaps such as yourself, to come up with a more innovative feature. It’s time for something better!
 
 
I made some updates to this article, based on some comments.
This entry was posted on Wednesday, June 29th, 2011 at 3:00 am and is filed under Planet Ibuildings. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.
« Terug naar Blogs
admin Written by

admin

Blog posts by admin E-mail

Comments are closed.