Mike West · Feb 3, 2018 · 5:01 PM UTC

Mike West

Mike West @mikewest

3 Feb 2018

Are there any good papers out there on theoretical replacements for cookies, a la @adambarth’s original Cake proposal (tools.ietf.org/html/draft-ab…)?

Mike West · Feb 3, 2018 · 5:14 PM UTC

Mike West @mikewest

3 Feb 2018

The subsequent origin cookie proposal (w2spconf.com/2011/papers/ses…, tools.ietf.org/html/draft-we…) is better-than-status-quo, but less aspirational. I’m looking for burn-it-down-and-start-over suggestions. :)

Bil Corry · Feb 3, 2018 · 9:55 PM UTC

Bil Corry @bilcorry

3 Feb 2018

Would be interesting to turn it around and have the browser assign + send a unique ID per domain, server then stores what it needs server-side based on ID. User can rotate as desired. It’s essentially the iOS notion of advertising ID.

Bil Corry · Feb 3, 2018 · 9:57 PM UTC

Bil Corry · Feb 3, 2018 · 9:57 PM UTC

Bil Corry @bilcorry

3 Feb 2018

Replying to @bilcorry @mikewest @adambarth

No more blocked cookies, or concerns server data is being stored on user devices, or annoying EU cookie notifications, etc.

Feb 3, 2018 · 9:57 PM UTC

Mike West · Feb 5, 2018 · 8:01 AM UTC

Mike West @mikewest

5 Feb 2018

Replying to @bilcorry @adambarth

I agree with the spirit of this kind of proposal. I'm less convinced in practice, given the value to developers of signed cookie values. Arbitrary session IDs might be a totally reasonable thing for advertising/measurement, but it seems to me that it's not enough for auth.