Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sweden Crunches Cookies

Posted by michael on from the chocolate-chip dept.

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."

7 of 401 comments (clear)

  1. Implied Consent by Gothmolly · · Score: 5, Insightful

    If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
    Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?

    --
    I want to delete my account but Slashdot doesn't allow it.
  2. dumb but not a big deal by truffle · · Score: 5, Insightful


    There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.

    Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.

    A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.

    As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.

    --

    ---
    I support spreading santorum
  3. Legislating around IETF standards by aziraphale · · Score: 5, Insightful

    I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.

    What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

    This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.

    Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.

    Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.

  4. Bigger security risk by mgkimsal2 · · Score: 4, Insightful

    There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.

    --
    creation science book
    1. Re:Bigger security risk by maharg · · Score: 4, Insightful

      A far better way is to tie the id to a specific ip.

      Wouldn't this present a problem where the user is behind a proxy ?

      --

      $ strings FTP.EXE | grep Copyright
      @(#) Copyright (c) 1983 The Regents of the University of California.
  5. meanwhile... by Gavin+Rogers · · Score: 4, Insightful

    Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.

    Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.

  6. Can someone translate this please by Rogerborg · · Score: 4, Insightful

    Specifically:

    • How explicit does the acceptance have to be?
    • Does it apply to all content served, or just to that served to clients that can (reasonably) be identified as being in Sweden?
    • Does it mandate a mechanism?
    • Is the mandated mechanism pure HTTP/HTML (how do I click on a popup in lynx, for example?).
    • How do they distinguish between a human browser, and a robot?
    • Do sites have to implement blocking of deep linking to redirect browsers to a cookie acceptance page? Does that screw indexing engines?

    Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.

    --
    If you were blocking sigs, you wouldn't have to read this.