Slashdot Mirror
Sweden Crunches Cookies
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.
Actually, scratch that, most websites will just ignore the law and get on with life.
IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
results in 62 cookies being blocked by my browser. Seems these guys have a lot of work to do to comply with the new law :)
How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?
-josh
Well at least PHP will offer the option of allowing you to use the session ID as a variable in the request/post string .. ie : page.php?PHPSESSID=xxxxxxxxxx ..
So you can effectively track the user on the server side like this
If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?
I want to delete my account but Slashdot doesn't allow it.
I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.
BOO! TERRO
Shouldn't that be "comes into farce"
?I'm sorry if I haven't offended anyone
There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.
Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.
A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.
As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.
---
I support spreading santorum
A special web page where the user can choose whether or not to recieve cookies. What a good idea! All a web site needs to do is save the 'don't give me cookies' preference in a cookie and... wait.... Um.....
Eat at Joe's.
Post och Telestyrelsen (the authority enforcing the law) has an english version of the "info text" needed for using cookies
I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.
What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.
This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.
Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.
Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.
A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.
This represents a huge problem for swedish sites which use .asp and .php session variables.
:-)
Just use Java Web Application with JSPs. They automatically handle the generation of sessionId with cookie or URL rewritting without any modification to the source code.
There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.
creation science book
if you store state in an encrypted hash on an input hidden tag.
This is my sig.
Why can't just the paranoid people block cookies?
I can't exactly see the big problem with cookies (other than that it's a unreliable solution for remembering user-data).
As already mentioned, if PHP is using sessions, it will first try to set a cookie with the session-ID. If that fails, it will pass the session-ID along with the url or automagicaly add a hidden-field to forms.
Good luck rewriting ALL php-sites that uses sessions.
As I see this, cookies do more good then harm, and it's no problem disabling them, so what's all the fuzz about?
--
Will work for bandwidth.
Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
"GNU's not Unix....it's Linux" / Kami "kokamomi" Petersen
Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.
Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.
Do you use IE like most people do? You can only block all cookies (and lose the use of your netbank, for instance) or allow all cookies.
:-p That said, everyone should use Moz Firebird.
Uh, false?
You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.
Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.
People who haven't used IE for years shouldn't go talking about it's features or lack thereof.
The law doesn't apply to cookies used to supply the user with a service she asked for.
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
Specifically:
Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.
If you were blocking sigs, you wouldn't have to read this.
Wow, genius.
All a cookie is is a session ID, the actual data in the session is kept on the server. It's just neater not to have to rewrite every URL, and it's nice to have the option of persistance. For everyone who is pointing out ways of living without cookies, you're missing the point. Cookies don't allow you to do (much) you can't do otherwise, they just let you do it more neatly and more reliably.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
..if people actually read and understood the text before making headlines out of it..
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
URL session tokens are quite a bit less secure than cookie based ones. I know of at least a couple online webstores that allow session hijacking through thier JSP URL tokens. (You're shopping. You see X item. You cut & paste the link to your friend so they can look at it... now you're both shopping in the same session...)
Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Trust the Computer. The Computer is your friend.
If you use IE6 then it only accepts cookies when you have a privacy statement.(default setting) It means that when you want to read/set a cookie you have to provide the browser with a privacystatement. This is actually 3 documents consisting of 2 xml files and a html file explaining what the cookie is trying to do.
:)
Bloody annoying if you are coding a webapplication, I assume it broke a lot of old stuff
Do these people not know you can reject cookies with your browser?
Yes, they do. But they also know that it is often hard for the user to know for which purposes the cookies are used.
This is not an anti-cookie law. This is a law that requires the website to tell the user what the cookies are used for.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Oh, and while storing the source IP is a partial solution, it's not 100% (think people behind a common proxy), and the whole point of the session id is that you DON'T re-enter your user/pw at every page. Cookies are the best, cleanest way to maintain state over a session. They're even better if you want to maintain state over multiple sessions (on the other hand, this can be dangerous and I'm not sure that it's usefull enough to outweight the security and privacy concerns).
- M.
So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.
PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.
Btw, I might add that I know one of the major lawyers responsible for this law.
I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....
AC comments get piped to
I'm from sweden and I must say that this sucks.
.se domain name, you had to get a www.site.region.city.se.
It's just one more of those stupid swedish rules that hinders the marketplace. Like back in the day, you couldn't get a
Why can't they just leave the internet alone!
Stupid lawmakers.
Will code a sig generator for food
Internet Explorer 6 uses the Compact Privacy policy as specified in the W3C P3P spec. It uses this to determine whether a cookie is unsatsifactory (different rules based on whether it is a third party cookie or not). MSDN has documentation covering Internet Explorer's decision matrix (unfortunately framed).
The internet is, by it's very nature, not a location-specific sort of thing. Why wouldn't every ISP in Sweeden simply pack up and move to Norway? They keep their traffic, keep their design, keep their cookies, and all they have to do is live in lovely Norway.
Integrity protection
Electronic communication networks may be used to store or access information that is on a subscriber or user's terminal equipment only if the user receives information about the purpose of such treatment and is given a opportunity to reject it.
This does not prevent storage or access that is necessary to accomplish or facilitate the transfer of an electronic message through an electronic communication network or that is necessary to provide a service that the user or subscriber explicitly requested.
Thanks for browsing at -1
Please vistit my blog: www.framtiden.nu
Cookies? Dangerous? It seems to me that this whole cookie-paranoia is nothing but a product of a sensational media jumping on the wrong things. Cookies aren't dangerous. And they don't hamper your privacy any more than the security camera in your local grocery store. Sweden's government needs to do a reality check and figure out what is important and what it shouldn't piddle and twiddle about.
I don't see why websites should get your consent for cookies. Most modern day browsers like Mozilla or IE6, there are options to restrict first-party cookies and second-party cookies based on the website's compact privacy policy. You can even create a blacklist of websites you know abuse cookie power. Of course, some sites might not have a compact privacy policy, so maybe better legislation would require a policy on every site!
Even still, I've never been very concerned about cookies. If you're worried about them tracking your every movement on the internet, block third-party cookies. And keep in mind they can track you by IP address!
Overall, I think this is plain unfair to the websites that will have to completely rewrite their whole websites to comply with this ridiculous law. Luckily I don't have to deal with it!
/usr/bin/complain >
You have to have a page (linked to from the front page) to describe what cookies are, how to disable them and how they are used on your page. Having it as the front page is NOT necessary, nor is having it all as text on the front page. The information should be able to be accessed during the web site visit, in a nutshell. You do NOT need to have a no-cookie version since the user can empty her cookies or simply block cookies from your domain. However, a link to the explanatory page from your login is preferred.