EU May Outlaw Cookies

Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.

the wrong solution for the wrong problem

[fetta]

The EU appears headed toward a classic error - they haven't defined the problem correctly. Instead of asking "how can we protect the privacy of our citizens" they asked "how can we prevent organizations from using this specific technology to invade our citizens privacy."

Whoever proposed this absolute ban on cookies clearly has never done any kind of web development. Sheesh.

They should outlaw pencils and paper, too

[nate.sammons]

I mean, I could write some personal infomation
on that paper and slip it under your mousepad.
Then, later, I could update that piece of paper
with new information.

What's good about this:

- Someone, somewhere is taking privacy
seriously.

What's bad about this:

- It demonstrates a fundamental lack of
understanding about the modern world.

Overall, I say it's good. They are *thinking*
about privacy, which is more than the US
Government is doing (aside from thinking about

how to get rid of privacy).

-nate

Re:not banned outright

[macdaddy]

"The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users..."

Then again binoculars and small video cameras 'may seriously intrude on the privacy...' of European people too. Are they going after things of that nature as well?

Things will break

[whjwhj]

I have a number of customers in Europe (particularily in Germany) who express a great deal of trepidation and fear about cookies. Particularily from folks who aren't tech savvy. I once wrote an entire web app that maintained state using GET paramaters and hidden input fields, all because they fear cookies. But since then, I've written many apps that wholeheartedly rely on cookies. If the EU were to ban cookies altogether (which apparently they may not) ... well my customers are going to have to shell some good ol' US dollars my way to make things work! I say bring it on!

Alternative to cookie: URL-rewriting and its flaws

[fractalus]

Ultimately there are too many applications that run over the web that have to have session identifiers. Sometimes it's so that it can identify returning visitors, sometimes it's so it can just track some current information (like your shopping cart). Somewhere, it's going to have to stick that session identifier in there.

You can put it in the cookie, but that means people who disable cookies on general principles can't use your site. Sort of a nuisance.

You can put in on the URL, but if you do that, you have to be aware that people may send URLs containing session identifiers to their friends by e-mail, or they might post them to a newsgroup, or better yet, they might just put up their own web site with a link with that ID in it. I've seen all three in sites I've worked on that use URL-rewriting.

Because we wanted to avoid cookies, we started checking referrers on inbound requests. Yes, of course referrer can be spoofed; that's not the issue. We simply wanted to catch casual sharing of URLs containing session identifiers. Any referrer that doesn't match the site of the actual request, or where the session ID is different than the one in the request, is rejected; a new session is established at that point. If the request was for an interior page that requires logging in first, the user then gets booted back to the site entrance or a login page.

It really depends on whether you want to go ahead and use cookies or not. I prefer not. Cookies certainly are not the only way to manage sessions.