Re: Fixing cookies (Re: Some half-baked thoughts about cookies.) from Daniel Veditz on 2018-08-28 (ietf-http-wg@w3.org from July to September 2018)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 28 Aug 2018 10:02:34 -0700
To: Willy Tarreau <w@1wt.eu>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CADYDTCCmBLY07PtmggJfGoRqtEYLTv_MGtBmDZs9OgATkkJkiQ@mail.gmail.com>

On Tue, Aug 28, 2018 at 1:05 AM, Willy Tarreau <w@1wt.eu> wrote:

>   - when a site delivers a cookie with "too long" a duration, ask the
>     user if he's willing to accept it or to trim the duration to a
>     shorter one. Let the user configure the max duration before warning.
>

No asking! Opinionated browsers could do this today if they wanted to, but
it should not ask the user! Of course there should be a way for a user to
modify the default max in with other cookie settings.

  - when a tab is closed with session cookies in it, ask the user what
>     to do with these cookies.

No asking! If we think the current session lengths aren't working browsers
are free to re-define it. We could even propose modifications to the spec
to recommend definitions of a "session".

It's hard to believe that a post that starts out decrying all the GDPR
prompts is proposing more prompts.

>   - add the ability for server-side equipments to purge *all* cookies
>     for the same domain ;

You might be interested in https://w3c.github.io/webappsec-clear-site-data/

I believe Chrome already supports this. Firefox will be shipping support in
October (testable on nightly now, beta in a couple weeks).

-
Dan Veditz

Received on Tuesday, 28 August 2018 17:03:26 UTC