Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cookies are not fundamental #105

Open
raymcdermott opened this issue Feb 20, 2025 · 1 comment
Open

cookies are not fundamental #105

raymcdermott opened this issue Feb 20, 2025 · 1 comment

Comments

@raymcdermott
Copy link

Your rationale states that cookies are fundamental.

They are the defacto standard for state management but come along with surveillance capabilities that are unwanted by many users.

Other implementations for managing state are possible and offer more security to users.

This (as yet unfinished proposal) suggests one alternative https://websession.dev/

Cookies were invented in 1994, and started out as a generic mechanism for persistent key-value state which were quickly adopted to provide authentication too. However as an ad hoc K/V store, there is nothing reliably distinguishing ‘essential’ (i.e. authentication) cookies from analytics, tracking, advertising, or preference cookies. As a result of increasingly strict privacy laws across the world, users are now beset with cookie banners across the Web, with no standard way to either consent to or reject non-essential cookies.

As stated in the GDPR (which gives rise to the cookie banners)

... cookies can store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances ...

It seems like these proposals are made in a context that is free from any consideration to privacy or the regulations governing it.
@drubery
Copy link
Collaborator

drubery commented Feb 20, 2025

I don't see the word "fundamental" anywhere in our repo, but if it was used the intent was along the lines of your description as "de facto standard for state management".

This (as yet unfinished proposal) suggests one alternative https://websession.dev/

As outlined in the readme, the current proposal was chosen for easy usage by sites that currently rely on cookies. We are considering further extensions to DBSC with other ways to manage sessions. WebSession in particular has a lot of similarity to DBSC, except the challenges happen within the flow of requests rather than as an out-of-band refresh.

It seems like these proposals are made in a context that is free from any consideration to privacy or the regulations governing it.

I don't think this is a fair characterization. Our readme says "an important high-level goal of this protocol is to introduce no additional surface for user tracking". While cookies do have a lot of privacy and regulatory complexities, DBSC should not be adding to them. We are only aiming to make sites using cookies for authentication (most sites) more secure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raymcdermott @drubery