I have some not-fully-baked thoughts about cookies, and I'd appreciate feedback: github.com/mikewest/http-sta…
TL;DR: We should introduce a client-controlled, origin-bound, HTTPS-only session identifier for network-level state management. And eventually deprecate cookies.
37
155
22
385
Warning: My initial feedback comes in the form of the dreaded injection of regulatory / policy concerns into what should be a nice and clean technical proposal.
2
1
4
There is a lot of nuance in how Facebook uses different cookies, for example, and probably Google, and others, too.
1
Some cookies live for a short time, and others for a long time. Some get reset for each user, and some stay to help us learn when a browser has multiple users so we can do the right thing for those folks from a security + privacy perspective.
1
1
Some are only set from a first party context, some are set from third party contexts. Some are read only by security + integrity systems and some only by advertising systems.
1
These are driven by and will continue to be shaped by our own best practices, agreements with regulators, and regimes like the GDPR that regulate the purpose and use of data, etc.
1
I worry that one browser identifier to rule them all will collapse too much context to move forward with essential services relying on client identifiers of different scopes and purposes.
2
5
The concern of advertising/tracking identifiers is exactly what drove Apple to adopt measures that actively conflict with keeping user accounts secure and to prevent fraud. Apple chose privacy over security for their users, so +1 on keeping that dynamic in mind.
Aug 15, 2018 · 5:45 AM UTC