Re: Fixing cookies (Re: Some half-baked thoughts about cookies.)

On Tue, Aug 28, 2018 at 10:02:34AM -0700, Daniel Veditz wrote:
> On Tue, Aug 28, 2018 at 1:05 AM, Willy Tarreau <w@1wt.eu> wrote:
> 
> >   - when a site delivers a cookie with "too long" a duration, ask the
> >     user if he's willing to accept it or to trim the duration to a
> >     shorter one. Let the user configure the max duration before warning.
> >
> 
> No asking! Opinionated browsers could do this today if they wanted to, but
> it should not ask the user! Of course there should be a way for a user to
> modify the default max in with other cookie settings.

Quite the opposite in fact : asking *is* useful, it's what pisses off
users and encourages sites to be careful not to piss them off. You just
want to ask this when it's above the configured threshold.

> We could even propose modifications to the spec to recommend
> definitions of a "session".

This would be an immense help.

> It's hard to believe that a post that starts out decrying all the GDPR
> prompts is proposing more prompts.

The difference is that these are prompts that are easy to fix (both
by site operators and the users). The GDPR crap is unfixable by the
user and unfortunately often unfixable by the site as well depending
on their multi-tier architecture, without having to redesign it. By
the way sometimes browsers are pressuring you hard to give them all
your passwords by asking you all the time "remember password ?" where
you can only reply "not for this site" or "not now" but not "never",
it's terribly painful, and quite sad from a security perspective as
it further complicates users education. But I'm resisting.

> >   - add the ability for server-side equipments to purge *all* cookies
> >     for the same domain ;
> 
> 
> You might be interested in https://w3c.github.io/webappsec-clear-site-data/

Oh, very interesting, I wasn't aware, thank you very much! I'm adding
the link to my todo list :-)

Willy

Received on Tuesday, 28 August 2018 17:15:02 UTC