Sweden Crunches Cookies

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."

mostly not a problem:

[Neophytus]

mostly not a problem:

do you want to remember my password (uses cookies) (x) yes ( )no

Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.

Actually, scratch that, most websites will just ignore the law and get on with life.

Re:mostly not a problem:

[JRSiebz]

You're wrong.

When you have user log-in to a particular part of the site, you need to store username, password information, and some other session variables in a cookie, so that on subpages within the part that needs to be logged into can check to see is the user is properly logged in. I like to check to see if the user is the actual user I think they are.

I guess you've never used php before.
Especically a for site you need to log into.
Hope this law never passes in the US, if you dont want cookies from a site, don't go there.

Does this low allow you to deny service to a user who doesn't accept the use of cookies?

Re:mostly not a problem:

[EuropeUnited]

At the end of the paragraph, it says that it is ok to store a cookie for:

"[...] sådan lagring eller åtkomst som behövs för att utföra eller underlätta att överföra ett elektroniskt meddelande via ett elektroniskt kommunikationsnät eller som är nödvändig för att tillhandahålla en tjänst som användaren eller abonnenten uttryckligen har begärt."

Wich in english translates into something like "to ease the transmission of a electronic message or supply a service the user explicitly asked for"

When typing in an URL I'd say that one is really rather explicit about asking for that website. And there for a site can store cookies related to it self.

My interpretation of the law is that it forbidds datamining using innocent peoples cookies.

Re:mostly not a problem:

[orkysoft]

Seems like this law is all about outlawing cookies that often come with banner ads.

Christ, what next

[joshv]

How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?

-josh

Re:Christ, what next

[Stackster]

I once saw a simple proof-of-concept in which the server could identify the client based on the browser cache.
A (dynamic) HTML page contained a bunch (about 100 or so) of img tags (and recorded which client got which set of img tags, they all had an ID in the URL). The next time the same client loaded the page, it got a different set of ID numbers, some of which were the same, and since those were cached, they weren't fetched from the server. So based on merely what information the client requested (or rather, _didn't_ request), it could be identified anyway.
Sure, some browsers cache things differently (or not at all), and some don't even load images (lynx). But at least it worked with the default settings of the two major browsers at the time (MSIE and Netscape, both 4.something).
IIRC, those 100 img tags was enough to keep track of several thousand clients.

PHP and cookies ..

[MadX]

Well at least PHP will offer the option of allowing you to use the session ID as a variable in the request/post string .. ie : page.php?PHPSESSID=xxxxxxxxxx
So you can effectively track the user on the server side like this ..

Poor Swedish website designers

[Eric+Ass+Raymond]

Awww... poor Swedish website designers.

I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.

A compromise solution

[mikech@rbsgi]

A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.

You really don't --need--- cookies

[tjstork]

if you store state in an encrypted hash on an input hidden tag.

Web Site Law

As a developer, I wish there was a compiled list of web site laws such as this. Id like to visit 1 web page where I could see all international and local government laws that are relevant to creating a internet based website.

Do you this US export restriction laws apply to servering static content too?

Stupidest idea ever.

[Kjeks]

Why can't just the paranoid people block cookies?
I can't exactly see the big problem with cookies (other than that it's a unreliable solution for remembering user-data).

As already mentioned, if PHP is using sessions, it will first try to set a cookie with the session-ID. If that fails, it will pass the session-ID along with the url or automagicaly add a hidden-field to forms.
Good luck rewriting ALL php-sites that uses sessions.

As I see this, cookies do more good then harm, and it's no problem disabling them, so what's all the fuzz about?

Re:Cookies not needed

[radish]

Wow, genius.

All a cookie is is a session ID, the actual data in the session is kept on the server. It's just neater not to have to rewrite every URL, and it's nice to have the option of persistance. For everyone who is pointing out ways of living without cookies, you're missing the point. Cookies don't allow you to do (much) you can't do otherwise, they just let you do it more neatly and more reliably.

Re:Seems a bit harsh

[MeNeXT]

It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

It annoys me that tech types with insufficent grasp of the law create products or services without realising the consequences.

Most laws in democratic societies do pass through an "expert panel", the problem is who defines "expert". Unfortunately the same cannot be said about products and services, no expert panel required.

Re:Seems a bit harsh

[Pieroxy]

Yes, I am strongly suggesting that. For example, downloading (and using) Mozilla with the default 128bit encryption is Illegal in France. Though you don't risk too much...

The point is: It is your job and duty to make sure that you are complying with the local law.

The argument is that a laws that implicitely makes it illegal to use IIS in its default configuration is an unfair law

Following your argument, no law should be passed if a software already exists that violates it ? That can't be it right? Software don't make the laws, legislators does.