×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Seek Input On Cookie Policy For Government Web Sites

Soulskill posted more than 4 years ago | from the om-nom-nom dept.

Government 74

suraj.sun sends along this quote from Information Week: "The government wants to use cookies to offer more personalized web sites to citizens and better analytics to Webmasters. ... The federal government has drafted changes to its outdated restrictions on HTTP cookies, and wants the public's input. Under the plan, detailed in a blog post by federal CIO Vivek Kundra and... Michael Fitzpatrick, federal agencies would be able to use cookies as long as their use is lawful, citizens can opt out of being tracked, notice of the use of cookies is posted on the Web site, and Web sites don't limit access to information for those who opt out. ... The Office of Management and Budget is considering three separate tiers of cookie usage that will likely have different restrictions for each, based on privacy risks. The first tier of sites would use single-session technologies, the second multi-session technologies for use in analytics only, and the third for multi-session cookies that are used to remember data or settings 'beyond what is needed for web analytics.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

74 comments

Oreos (3, Funny)

oldhack (1037484) | more than 4 years ago | (#28819869)

For variety of reasons. :-)

Re:Oreos (1)

jmckinney (68044) | more than 4 years ago | (#28820447)

I don't have kids, and I haven't watched the show for 30 years, so why do I hear it in Cookie Monster's voice every time I read the phrase 'cookie policy'? (Coo-kie Po-li-cy!)

Re:Oreos (2, Funny)

basementman (1475159) | more than 4 years ago | (#28820545)

Oreos are a symbol of black power and the racist ideals Obama is trying to indoctrinate our wonderful nation with. The pure Aryan nation is represented by clean white filling of the Oreo, with the other less pure races as the hard cookie, squeezing on both sides ever last bit of culture the white man has left. We must rise against and elect Vanilla Wafers as or government cookie. White power! /s

How about no? (5, Insightful)

DoktorSeven (628331) | more than 4 years ago | (#28819875)

Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.

What a concept, right?

Re:How about no? (2, Informative)

jonbryce (703250) | more than 4 years ago | (#28819909)

I don't see any problem with a "remember these settings" check box on a web page which sends a cookie if ticked.

Re:How about no? (2, Interesting)

sakdoctor (1087155) | more than 4 years ago | (#28819931)

Cookies expire at end of session according to my preference.
That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time.
Then I leave and never return.

Re:How about no? (0)

R.Mo_Robert (737913) | more than 4 years ago | (#28820061)

Cookies expire at end of session according to my preference. That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time. Then I leave and never return.

How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

Re:How about no? (2, Insightful)

kdemetter (965669) | more than 4 years ago | (#28820549)

Cookies expire at end of session according to my preference. That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time. Then I leave and never return.

How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

on a database , like it should ? And then retrieve the preferences after logging in. I don't see the problem.

Re:How about no? (1)

blueg3 (192743) | more than 4 years ago | (#28820779)

If you'd read the person you responded to, you'd see that he specifically said that a cookie is a lesser evil than requiring you to make an account in order to preserve settings.

Of course, regardless of whether it's by login or by cookie, the settings have to be stored in a database of some sort, unless there are so few preferences that the preferences themselves are stored in a cookie.

Re:How about no? (1)

Jah-Wren Ryel (80510) | more than 4 years ago | (#28823369)

If you'd read the person you responded to, you'd see that he specifically said that a cookie is a lesser evil than requiring you to make an account in order to preserve settings.

It need not be a full-blown account - "e-mail address and all" - just a username and password that your browser can automatically memorize and fill in each time you start a new "session."

After all, if you don't need "e-mail address and all" for a cookie, then you don't need it for any other identification mechanism either.

Furthermore, any site that requires cookies for full usability is doing its users' a disservice because it is one more site that encourages them to use cookies. Until web-browsers come with something like the CookieSafe plugin's functionality by default, the choice to use cookies is 100% yes/no for most users. Thus by requiring cookies, they also encourage their users to make themselves more vulnerable to all those privacy invaders like doubleclick (google's evil by another name).

Re:How about no? (1)

Hal The Computer (674045) | more than 4 years ago | (#28824379)

So you want your browser to send the site a key and value every time so the site can track your preferences. Congratulations, you just invented cookies.

So basically, you're blaming the web sites for the fact that the browsers do not implement the exact functionality you want. Did I get all that?

Re:How about no? (1)

Jah-Wren Ryel (80510) | more than 4 years ago | (#28825377)

So basically, you're blaming the web sites for the fact that the browsers do not implement the exact functionality you want. Did I get all that?

Nope. I am blaming websites for encouraging users to avoid good security practices.

Re:How about no? (1)

POWRSURG (755318) | more than 4 years ago | (#28831675)

What about Web sites that send cookies using the HTTPonly flag so that cookies aren't readable via JavaScript?

Have the Feds, or any other major service, looked at using DOM Storage as an alternative to cookies? DOM Storage allows for more data to be stored, and it removes extra data being transferred via every HTTP request. Yes, it is only available in modern browsers, but that need not stop its use, or at least making policy towards its use.

Re:How about no? (1)

dkf (304284) | more than 4 years ago | (#28825033)

How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

I think it would be good if sites that store cookies on your computer (especially keys into a server-side databases) were required to describe what information was associated with that cookie, both client-side and server-side. I don't mind them storing preferences for what skin to use for the website UI (OK, I mind that none of them are tasteful, but that's a whole 'nother story) but if there's a large profile of me behind it all, I'd like to know!

I'd also like to know that information for session cookies.

A little help, please! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28820137)

I'm in a bit of a jam, and I need some help from the slashdot community. I was in the men's room stall at work masturbating to porn on my iPhone for four hours a day like I usually do. All of a sudden, a picture of RMS popped up, and I orgasmed so violently that I accidentally punched some random soft buttons on my iPhone. Turns out I inadvertently activated the camera, recorded video of me shooting my hot stinky jizz all over the bathroom walls, and then sent it to comments@whitehouse.gov. I had no idea the iPhone was THAT easy to use! Someone please tell me there's an "Unsend" button...

Re:How about no? (1)

Prof.Phreak (584152) | more than 4 years ago | (#28820189)

I was certain pretty much all gov sites that allow logins use cookies. Now I'm wondering how they track sessions... Hmm...

Re:How about no? (1)

Z00L00K (682162) | more than 4 years ago | (#28820283)

Everyone already worried about the cookie-tracking habits are already using web browsers and add-ins that deletes the cookies after the end of the session.

So what's left is standalone sessions with a certain habit, but no easy way to detect a re-visit.

Re:How about no? (1)

Phroggy (441) | more than 4 years ago | (#28824711)

Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.

What a concept, right?

You're an idiot.

HTTP is a stateless protocol. That's fine if all you're doing is looking at documents, but the Web can do much more than that. There are services that I want the government to be able to provide over the Internet that involve more than just looking at documents. These require tracking state, which is what cookies were designed for. You can fake it if you have to, by putting session variables in query strings, but that makes all of your links ugly and makes it rather awkward to send links to other people, in addition to making the code more complicated/bug-prone/expensive.

User privacy needs to be taken seriously, of course, but that doesn't mean cookies should be banned. It means cookies should be used responsibly. The government is looking for input on what exactly that should mean.

Re:How about no? (0)

Anonymous Coward | more than 4 years ago | (#28836421)

Ironically, "opt-in" requires some way of remembering you've not opted in. Unless you use a cookie to remember a visitor has not opted in, you have to ask him/her every time.

Yeah OK (3, Insightful)

sonicmerlin (1505111) | more than 4 years ago | (#28819881)

I know I'll be modded down for this, but if government was stocked more with intelligent engineers and scientists instead of lawyers we would never have these issues.

Re:Yeah OK (4, Insightful)

FrostDust (1009075) | more than 4 years ago | (#28820265)

This is a legal issue, not a technical one. Replacing lawyers with engineers wouldn't do anything here.

The government isn't trying to engineer a new "cookie" paradigm or anything, they're investigating the legalities of a federally-owned website tracking users.
Cookies have been used by websites forever, but there may be a difference between your browsing history and preferences being recorded by bestbuy.com versus whitehouse.gov, at least in the eyes of the law. That is what the article is talking about.

The can snoop every conversation and transmission (0)

Anonymous Coward | more than 4 years ago | (#28819923)

And require all access to every financial detail of your life, and people worry about web cookie opt-ins?

Seems fucking silly, but I guess the sheep would accept a cookie opt-in from one dept while 6 other depts are fully engaged up your ass.

I think this is great (2, Insightful)

Anonymous Coward | more than 4 years ago | (#28819959)

The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?

Go, go "team freedom"!

Re:I think this is great (2, Insightful)

oldhack (1037484) | more than 4 years ago | (#28820047)

What the AC wrote. This absurd universe we live in.

Re:I think this is great (1)

unlametheweak (1102159) | more than 4 years ago | (#28820187)

The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?

Go, go "team freedom"!

What the AC wrote. This absurd universe we live in.

It gives the public (electorate) the impression that there is transparency and freedom to choose. I am grateful for every piece of illusion that makes reality more bearable. It sure beats the frontal lobotomies [npr.org] that were popular in the 1940s and 50s to treat moodiness and hyperactivity in children.

Re:I think this is great (1, Interesting)

hedwards (940851) | more than 4 years ago | (#28820053)

There's a significant distinction to be made there. First off, these agencies aren't the NSA and secondly it is currently perfectly legal to use cookies. The two aren't really connect at all.

There is a significant amount of justified mistrust in the government right now, but the thing is that if they were up to something nefarious, I'd assume they'd use a method that was much less easily dodged by people

This issue is whether it's legal (1)

fluffy99 (870997) | more than 4 years ago | (#28820871)

"it is currently perfectly legal to use cookies"

That's the exact issue. It's currently NOT legal for the government to collect information on someone without a valid reason. Two good examples are the Watergate fiasco and recent illegal wiretapping. This is about trying to define cookies as a valid operational requirement, and set the appropriate boundaries for the collection of any information.

How the cookie crumbles (1)

countertrolling (1585477) | more than 4 years ago | (#28820029)

I think we can trust the government not to misuse the data, right? It's not like it doesn't know everything about you anyway. I'm sure its "privacy policies" are every bit as honorable as Google's, or Microsoft's.

Why? (1)

Darkness404 (1287218) | more than 4 years ago | (#28820087)

Why even use cookies? I can't really think of any good idea for a standard, public government website to use cookies. I mean, theres not any preferences, logging in, etc. by members of the general public. If they are employees of the government, well they already sold their soul...

Re:Why? (1)

dlsmith (993896) | more than 4 years ago | (#28820163)

I mean, theres not any preferences, logging in, etc. by members of the general public

Three federal government programs that do/should provide a Web interface to authenticated users:

  • Student loans
  • Income taxes
  • Social security

These are off the top of my head. I'm not trying very hard.

Suggestions (2, Interesting)

asdfndsagse (1528701) | more than 4 years ago | (#28820119)

1. Tracking MUST be in aggregate. Any categories of users SHOULD come only from self descriptions fcrom the user. (ie clicking "i run a small business")
a
2. Preferences MUST be stored client-side in cookies, not server-side. Sites MAY use hashing to prevent tampering where appropriate. Preferences SHOULD be stored as plain text so that they can be read and perhaps changed directly by the user.

3. Users SHOULD NOT have unique ids tagged to them, and MUST not have unique id's tagged to them over more than one session without an opt-in.

4. Analytics of users/preferences and locations/IP addresses MUST be done in a way as to minimize the ability to specificly track people who do not opt-in and are unaware of tracking.

Does it matter at all? (1)

DrEldarion (114072) | more than 4 years ago | (#28820143)

Honestly, think about it for a second.

Besides the fact that you ultimately have full control over accepting cookies anyway, this is the government we're talking about. They have the power to get into every aspect of your life far deeper than any other organization ever could. Are you honestly worried about what are 99.99% ilkely to be completely harmless cookies?

Re:Does it matter at all? (0)

Anonymous Coward | more than 4 years ago | (#28820221)

People don't deserve or expect privacy if they aren't at least able to disable cookies on their own browsers.
It's not like they have to change the source code or even edit a complicated configuration file or windows registry to disable them.

Re:Does it matter at all? (1)

shentino (1139071) | more than 4 years ago | (#28820881)

Would you tell them that if they were in a corporate environment and HAD NO FUCKING CHOICE not to use a braindead browser on a holey operating system?

Re:Does it matter at all? NOT! (1)

Nom du Keyboard (633989) | more than 4 years ago | (#28820863)

Besides the fact that you ultimately have full control over accepting cookies anyway

Yeah, right. Granny knows about cookies, privacy, and how to disable one to protect the other, while she's out there reading e-mail from the kids, checking up on the latest on Martha Stewart's site, and going to the political discussion that her smart, college-educated son directed her to on the .gov site. Sure she can just pop in and selectively disable cookies as required.

NOT!

This should be the universal Cookie Policy (5, Insightful)

OverZealous.com (721745) | more than 4 years ago | (#28820213)

This is my general policy:

  1. Don't ever store a cookie by default on websites that don't have a login.
  2. Don't ever, ever, ever store cookies on a different domain than the one in the address bar.
  3. If you want to store something in a cookie, make it opt-in (as mentioned above).
  4. If you want to store something in a cookie, but I block it, make sure the website still works correctly.
  5. If you "need" to store a cookie, but I block it, make it obvious what has happened, and on what domain. Make sure I can see that domain in the address bar, and decide whether to unlock it.
  6. Be aware that forcing a cookie on me has about a 75% guarantee that I'll leave and never return.

If you are incapable of developing to these standards, say, because you don't understand how session cookies should work, then please find another line of work.

Cookies are bad for the health of your website, news site, or blog. Cookies are good for the health of your web application.

Re:This should be the universal Cookie PolicyIMPOR (1)

Nom du Keyboard (633989) | more than 4 years ago | (#28820883)

If you want to store something in a cookie, but I block it, make sure the website still works correctly.

That is clearly The Most Important Cookie Commandment of all!

I'd give you Insightful+1 if I had mod points today.

Re:This should be the universal Cookie Policy (0)

Anonymous Coward | more than 4 years ago | (#28823247)

Hey just wanted to let you know there's a 2-for-1 on tinfoil hats down at Crazy Eddie's Paranoia Shop today. So if you're not afraid to leave the basement, maybe you want to go check that out.

Re:This should be the universal Cookie Policy (1)

Phroggy (441) | more than 4 years ago | (#28824923)

Cookies are bad for the health of your website, news site, or blog.

Are you retarded? Slashdot would suck ass without cookies.

Re:This should be the universal Cookie Policy (0)

Anonymous Coward | more than 4 years ago | (#28826909)

Slashdot would suck ass without cookies.

Much like the Cookie Monster does to get money for his own cookies.

Re:This should be the universal Cookie Policy (1)

dkf (304284) | more than 4 years ago | (#28825001)

Don't ever store a cookie by default on websites that don't have a login.

But they're an excellent way to tell apart humans from bots, which is important for performance reasons since they've got completely different browsing profiles. You'd think that using the browser version string from the HTTP request header would work, but it doesn't. Some bots are stealthed. However, a session cookie is fine for these purposes; if you're distinguishing between session cookies and expiring cookies, then you need to make that clearer; both are still cookies.

Don't ever, ever, ever store cookies on a different domain than the one in the address bar.

Does that even work at all? Shouldn't browsers block it?

If you want to store something in a cookie, make it opt-in (as mentioned above).

That's tricky. Easier to have the browser do the enforcement there (how could the server know what your preference for cookie storage is without setting a cookie?)

If you want to store something in a cookie, but I block it, make sure the website still works correctly.

As long as you don't expect to log in or high performance browsing, you'll be OK.

If you "need" to store a cookie, but I block it, make it obvious what has happened, and on what domain. Make sure I can see that domain in the address bar, and decide whether to unlock it.

Again, take that up with browser makers. It's not the business of website owners.

Be aware that forcing a cookie on me has about a 75% guarantee that I'll leave and never return.

Goodbye.

(If your rant is directed only against expiring cookies, should it include ones with an expiry time of less than an hour? It's quite possible that session cookies for most people will persist longer than that...)

"Gluten Free"? (1)

Tetsujin (103070) | more than 4 years ago | (#28820237)

I find it funny that this story's been tagged "gluten free"... My wife has celiac so I tend to think of gluten as something I have to deal with and other people aren't too aware of. :)

Public Input? (1)

ObsessiveMathsFreak (773371) | more than 4 years ago | (#28820271)

They say public input, but what is to stop any lobby group with deep enough pockets and a large enough network from organising its own flash mob, to sway the government one way or the other.

This seems to be a common feature of modern life. We are told that policy is driven by the will of the people, but how can we be sure of that? How do you tell the difference between thousands of genuinely aggrieved people, and thousands being paid to be aggrieved? How do you tell the difference between consent, and manufactured consent?

It's our own fault really. We support a system where the people we elect to make decisions dare not sign a single paper, for fear it may cause outrage or scandal. Or at least, manufactured outrage or scandal. How convenient for producers.

lawful? really? (1)

v1 (525388) | more than 4 years ago | (#28820277)

federal agencies would be able to use cookies as long as their use is lawful,

The feds promising to only do lawful things? What a novel concept! I wonder how they will adapt?

This whole argument is asinine (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#28820429)

Cookies are as much of a privacy concern as walking down the street.

If the government wants to track you they are going to go directly to the source and track you via a data center. Trying to track someone with cookies is about the least effective way to go about it. If you're worried about cookies you might as well sit in your mom's basement with a tinfoil hat.

Cookies are however used to improve government website, by allowing users to login and save settings. It also allows the content owners to understand effective UI, how users navigate the website, what keeps user coming back for more and other key information. By not letting government websites utilize these simple tools, you're pretty much ensuring you'll have a worse experience with you visit a government website.

It's idiotic.

             

A smart way of looking at it (0)

Anonymous Coward | more than 4 years ago | (#28820507)

Here's a review of the issue from last year that isn't just about silly fear mongering:
http://blog.webanalyticsdemystified.com/weblog/2008/11/an-open-letter-to-president-elect-obama.html

SSN = Cookie (0)

Anonymous Coward | more than 4 years ago | (#28820511)

Simply create one cookie for all the goverment websites by rot13ing the ssn for use as s serial number. Bonus points for assigning the SSN cookie with getting the SSN form the user. Create Central Database to hold all veriables assosated with SSN on all goverment websites. These is so simple even a two year old could implement but don't worry somebody will make the profit after the ??????

Don't share them (2, Insightful)

legirons (809082) | more than 4 years ago | (#28820537)

Is there anything more to say than Don't share them between sites?

If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses. But it's when you start including invisible images from a 3rd party site that shares the stats between multiple domains, that most people think crosses the line into creepy surveillance.

Login cookies = fine. Telling one site that you visited another site = not ok.

(or to phrase that another way: don't exploit loopholes in the security system)

Re:Don't share them (1)

OverZealous.com (721745) | more than 4 years ago | (#28822409)

If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses.

While I agree that there a significant benefit in using login cookies, they are not remotely âoenecessaryâ. Java-based servers have had a fantastic technique using a little-known part of the URI shceme [wikipedia.org] where every segment can have parameters. It looks like this:

http://www.example.com/app;sessionid=ABC123DEF456/<whatever>

This allows cookie-like storage in a way that isn't able to be tracked across multiple domains.

Re:Don't share them (0)

Anonymous Coward | more than 4 years ago | (#28823761)

Which is great until you email a link and suddenly the whole world is using your session.

Re:Don't share them (1)

legirons (809082) | more than 4 years ago | (#28900877)

If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses.

While I agree that there a significant benefit in using login cookies, they are not remotely âoenecessaryâ. Java-based servers have had a fantastic technique using a little-known part of the URI shceme [wikipedia.org] where every segment can have parameters. It looks like this:

This allows cookie-like storage in a way that isn't able to be tracked across multiple domains.

great, so every time someone follows a link from your site (or you include an external image) their session key is transmitted via the referer header...

Re:Don't share them (0)

Anonymous Coward | more than 4 years ago | (#28825277)

> If you login then of course you need a cookie.

Not true. You could just use HTTP authentication. I have no idea why so many websites are averse to this feature.

Fed only wants your 'input' as propaganda! (2, Interesting)

Anonymous Coward | more than 4 years ago | (#28820639)

The feds are not really interested in realistic input from the public. If they were, they would not require that commenters 'log in'. The cookies are being sought in order to deny the public the option of logging in...or not, simply by placing persistent 'tracking cookies' and other types of malwaaare. I checked their website cited above in the submission and you will find that indeed it does require 'logging in'. As such, only the converted choir will comment, and all these comments will be 'filtered for content' before being displayed. Such 'filtering' will be such that only sycophantic comments will be given prominent display. Comments opposing the cookies will only be displayed if they are ignorantly worded, ungrammatically constructed, and otherwise show the writers in a bad light. In this way the site can be manipulated as such that other propagandists can claim 'popular support' for internal spying. That the whole website has a flavor of Joseph Goebbels's old 'debates' when Hitler was an agitator in Great Depression Germany is lost on a younger generation that not only has no memory of National Socialism, but also has no education of it either. Modern history courses in high schools leave that out and only teach history after world war two, concentrating on multiculturalism while ignoring the culture that built the nation and the schools in it that now teach only fluff, a whole other subject worthy of its own debates.
                    These cookies are easily removed now, so it seems silly that the guv would take great pains to foist them on you unless they know something that we do not. Is there something new and horrible in Windows 7? Something that will give us even LESS control of our machines that we paid for with our money and get less and less use, choice, and especially control of?

Re:Fed only wants your 'input' as propaganda! (0)

Anonymous Coward | more than 4 years ago | (#28842147)

To share your comments on this approach, you can post a comment here, submit comments directly in response to the Federal Register notice mentioned above, or email them to: oira_submission@omb.eop.gov. Comments submitted by August 10, 2009 in one of these three ways, will be taken into consideration though we strongly encourage you to comment here so that others can respond. Comments submitted via email will also be republished here. Weâ(TM)re hoping to hear your thoughts on:

Ask the users.. (1)

Seth Kriticos (1227934) | more than 4 years ago | (#28820685)

Most people don't know the difference between a browser and the Internet. If you ask them if they want cookies, they will say yes. Then the website admin will have to deal with fun support calls: "You promised me cookies on your website, but I did not get any! Where are my damn cookies?"

Re:Ask the users.. (0)

Anonymous Coward | more than 4 years ago | (#28826813)

They did a street survey in the UK asking the question: What is a browser?

8% (eight percent) answered correctly. I think the most popular answer was, Google!

Expiration date on cookies (1, Insightful)

Anonymous Coward | more than 4 years ago | (#28820703)

When I examine my cookies, the first thing I do is look for anything that has an expiration date more than 5 years in the future.
Those cookies are immediately deleted and blocked permanently.

There is no reason but sloth to set a cookie with such a huge number for the time to live.

I hope the government policy sets reasonable times for their cookie policy.

IE, a session cookie should not outlive the session.

A simple set of rules (1)

Trerro (711448) | more than 4 years ago | (#28820947)

A cookie is acceptable if one of the following is true:
1. The user has directly requested it, such as by clicking a "remember these display settings" button.
2. The user has been warned in advance, and EXPLICITLY OPTED IN to it. Explicit means the warning was in plain, easy to read text, in a single paragraph if possible - not buried on page 7 of a EULA or shoved in a privacy policy that's linked in tiny text and no one ever reads.
3. The cookie is a session cookie, and once the user has closed his browser, it will not be possible to link any data gathered with that cookie to that user. (Aggregate data is of course, fine.)

If you're setting a cookie that doesn't meet one of those 3 conditions, then you're violating your users' privacy. Period.

Cookie Paranoia (4, Insightful)

QuoteMstr (55051) | more than 4 years ago | (#28821033)

You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack [ckers.org] that allows any site to probe whether you've visited another completely unrelated site.

Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.

mmmhh... (0)

Anonymous Coward | more than 4 years ago | (#28822823)

#!/bin/bash
#fuckallya-iceweasel-purger

if pidof firefox-bin != "" ; then
pkill -9 'firefox'
sleep 3
fi
cd
rm -vdr .mozilla
if [ -d /home/bubo/.adobe ]; then
rm -vdr /home/bubo/.adobe
fi
if [ -d /home/bubo/.macromedia ]; then
rm -vdr .macromedia
fi
mkdir -v /home/bubo/.mozilla
cp -at /home/bubo/.mozilla /home/bubo/uaria/saveme/MOZ/mozilla/*

find /home/bubo/.mozilla -name '*.sqlite' -exec sqlite3 '{}' 'VACUUM;' \;

echo done

Cookies cant be deleted on GOV computer (0)

Anonymous Coward | more than 4 years ago | (#28826313)

In most GOV computers you cant delete cookies, delete history or install any software to eat the cookies. The computers are locked down. Your stuck with WindowsXP and Internet Explorer. You cant even install Firefox.

So the cookie thing "is" interesting for internal reasons. They may want to track employees more, not the public.

Here's an idea: (1)

Ant P. (974313) | more than 4 years ago | (#28829923)

Have a clearly accessible page that displays the cookies you're sending, and explains what each cookie they've set is for, what data it ties to you, and most importantly have a button right there on the page to delete it.

Yeah I know most browsers have built in stuff for this already; some don't and most average users would never think to look there anyway.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...