Re: cookie draft available from M. Hedlund on 1996-04-21 (ietf-http-wg@w3.org from April to June 1996)

From: M. Hedlund <hedlund@best.com>
Date: Sun, 21 Apr 1996 14:51:45 -0700 (PDT)
To: hallam@w3.org
Cc: "David W. Morris" <dwm@shell.portal.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SGI.3.93.960421142955.22288B-100000@shellx.best.com>

On Sun, 21 Apr 1996 hallam@w3.org wrote:
> I don't see any reason why a person should really need so many cookies and I 
> havent seen an actual justification apart from reference to people in the 
> bowels of Netscape who apparently have opinions. 

Here's one:

One potential use of Cookies is to store a "preferences" or .rc file for a
user who visits a particular site repeatedly.  A server could provide a
number of choices and store that user's choices as cookies, affecting
their view of the site on future visits.

Let's say this practice becomes common.  (I think it will.  I work at a
Web development shop, Organic Online, and I know of five large sites
outside of our clients that are contemplating or implementing such a
model.)  Wiping out a cookie would no longer be a matter of wiping out a
session.  Instead, it would cause a user's view of the site to go against
their anticipations. 

I argued in the state subgroup that:
	1. the user should be asked for confirmation at the close of
	   the browser execution if a cookie requests to be kept beyond
	   that point (i.e., to some future date or forever); and
	2. if the user allows that cookie to remain in the cookie
	   database, it should _never_ be automatically deleted unless
	   mandated by its expiration date as originally set.

My argument was that no one would be happy if an OS started wiping out
preferences files when some internal limit was reached; nor should we
specify that cookies be wiped out just because some magic number is
reached.

The group decided, instead, to require the user control over the cookie
database without further specifying how that control is given
(contradicting my point #1 above).  I can live with this decision, because
it gives implementors the ability to avoid modal dialog boxes popping up
everywhere if they so choose.

Still, my argument above can be applied to this discussion, giving us a
good reason to specify at least some minimum for cookie storage.

[Rohit says I like to bring up this example because it causes problems for
the models typically discussed in reference to cookies, such as shopping
baskets.  He's right -- I think the cookie discussion has been driven far
too much by the requirements of shopping baskets, and not enough with a
consideration of other models.  Hence this counterexample.]

Marc Hedlund <marc@organic.com> <hedlund@best.com>

Received on Sunday, 21 April 1996 14:55:28 UTC