Forum OpenACS Q&A: Getting rid of cookies

Collapse
1: Getting rid of cookies
Posted by Shalon Wood on 09/07/00 02:40 PM
As I understand it, cookies are used only for keeping track of who is
doing what. Is there any reason why Basic Authentication couldn't be
used for that?

Shalon Wood

Collapse
2: Response to Getting rid of cookies (response to 1)
Posted by Norbert Klamann on 09/07/00 03:19 PM
With cookies it is possible to track without asking the user for registration. Rhe you can track casual users.

Norbert Klamann

Collapse
3: Response to Getting rid of cookies (response to 1)
Posted by Ben Adida on 09/07/00 05:27 PM
more importantly, you can track sessions, not just logins. So if one user is logged in twice, the sessions don't mangle each other. Cookies are a *very* important part of true collaboration and thus OpenACS.
Collapse
4: Response to Getting rid of cookies (response to 1)
Posted by Dirk Gomez on 09/07/00 08:05 PM
Cookies pose some problem - at least in Germany. Browsers by default are set to "ask if cookies should be accepted". Most people turn down all cookies, so all major German websites work without cookies as well.
Collapse
5: Response to Getting rid of cookies (response to 1)
Posted by Dan Wickstrom on 09/08/00 04:56 AM
If they don't generally use cookies on German websites, how do they maintain session information?
Collapse
6: Response to Getting rid of cookies (response to 1)
Posted by Mark Ciccarello on 09/08/00 07:42 PM
Without cookies it's very ugly.

You can use http authentication and store the user state on the server.  This has many drawbacks, which is why hardly anyone does it, at least in the U.S.

Or you can encode a user identifier in each url, or if it's not much data, the state information itself.  This only works if all of your html links are generated dynamically.  And of course it's visible to the user in the url and won't survive URL surgery has a lot of other problems.

Collapse
7: Response to Getting rid of cookies (response to 1)
Posted by Joe Harrington on 09/08/00 09:27 PM
I think it's short-sighted to call cookies an integral part of collaboration.  I never needed flour, butter, and sugar to work with people before!  Many sites work great without them.  If my stock broker (Datek) can do it, so can OpenACS.  I'd like to see some effort go into documenting how to set up a cookieless ACS site.  I'm not (yet) a web guru, but I imagine that setting up a secure site and using the SSL session key as an identifier would be one way.  Another way would be to encode the state in the URL, but to have particular pages that are bookmarkable.  Setting up the public areas with stateful URLs and switching to using the authentication info when the user logs in would be another.  I have to set up some sites that will be used by ornery professors from dozens of countries.  Life will be much easier if I can avoid cookies and the complaints I'll receive if I use them.  There are so many good sites done without cookies, and so many privacy concerns related to them, that it really behooves us to use our noggins and think our ways around them.  Having done time at MIT, I know the folks at LCS are up to it, and I'm a little surprised that cookie evangelism is coming out of the cradle of the LPF and FSF.

All of this would be so much less of an issue if Netscape would just put in a cookie configurator that would allow you to accept or deny cookies from particular sources, and query for the rest.

--jh--

Collapse
8: Response to Getting rid of cookies (response to 1)
Posted by Ben Adida on 09/08/00 09:57 PM
Joe, I take issue with your saying we are "short-sighted" for using cookies. Having been involved in building database-backed web sites for over 5 years, I thin I have some understanding of what is and isn't necessary or risky in building privacy-aware web sites.

Back in 1995, I helped build a web site, with *no* cookies, that allowed us to ingeniously track sessions, figure out which users were which, such that I was able to tell a friend "you visited the site on August 8th and stayed for 10 minutes, and came back on August 25th and stayed for 15 minutes." No cookies. Just programming, URL manipulations and tricks of navigation. The problem of privacy is in *no way* related to one particular technology.

Cookies are a perfectly fine technology which, when used correctly (the way ACS does), does not engender *any* additional privacy concerns. The problem is that the press has latched on to the idea that "using cookies violates your privacy." In fact, unless you check the box "remember my login" in ACS/OpenACS, your cookie will only last the duration of your session, which inherently means that you are no more at risk than with URL manipulations.

As for using the SSL session key as a unique identifier, my crypto background forces me to cringe at the thought that a session key would ever be visible to any part of the application. That is *not* a solution.

At the end of the day, if you're not using cookies on the web today, you are at a serious disadvantage. If you're of the mindset that you should never use cookies because of privacy concerns, you might as well not use the web at all, because your privacy is being violated, cookies or no cookies. The simple concept of tracking a session (using cookies or any other solution) opens up the door to privacy violations. If you don't want your session tracked, then you're in for a serious 1994 web-browsing experience.

I'm happy to hear complaints, suggestions, and anything else. However, the cookie-free ACS is not a priority today, as it solves no significant problem. If it is a priority for you, and you code up a clean, decent, unintrusive solution to it, we will be more than happy to include it in the distribution. However, calling us "short-sighted" isn't really going to get you much sympathy.

Collapse
9: Response to Getting rid of cookies (response to 1)
Posted by Joe Harrington on 09/09/00 01:18 AM
Ok, Ben, but please don't over-interpret what I say and then get offended by it.  I didn't say you were short-sighted for using cookies, I said you were short-sighted for calling them "a *very* important part of true collaboration".  I collaborated (truly) long before the invention of the web.  I can do it without cookies.  I can do it on the web without cookies, certainly to my satisfaction as a user.  You yourself said you have solved this problem once before without cookies, so I think you have overstated their importance.

It is certainly true that tracking a session on a particular site raises some privacy issues, but the big abusers (doubleclick.com and the credit-reporting agencies) depend on tracking you as an individual across many sites and over long periods of time.  That's most easily and frequently done with long-lived cookies and a presence on many sites.  You and many other web programmers talk about cookie technology as being independent of privacy concerns.  This is like saying that leaving your door unlocked in the city is independent of security concerns, because you as a pedestrian never enter someone's house without permission.

The "technology" of cookies involves both the client and server ends of things, and right now, I have very little control over how my browser treats cookies.  I can turn them off (and be locked out of many web sites), turn them on (and be defenseless against abusers), or be faced with as many as several hundred cookies per displayed page of please-click-to-go-on.  I currently choose the latter option, but I often find myself getting infinite cookie requests that lock my browser so that the only way to continue to use the web is to kill my browser and start over, losing where I am in my several open sessions on different sites.  Whenever I enable cookies, I get a .netscape/cookies file full of doubleclick.com and others who have on several occasions been cited for using these cookies to build and sell consumer databases that are a gross violation of privacy.  *You* may use cookies responsibly, but some others don't.

You may argue this is a browser issue, and it is.  If there were any decent open-source browsers out there, I'm sure someone would hack together a solution that would make cookies tasty to both web programmers and users (part of which I outlined in my posting).  Until the "technology" of cookies includes sufficient control on the client end, your responsible use of cookies on your particular site (and I do laud you for it) doesn't protect us from abuse by others.

I'm sad you're unsympathetic.  It's like a city developer saying he won't install locks on doors because he doesn't rob people on the street and then saying "go start your own door company if you don't like the way I build mine".  This is a social problem and I'd like to have the tools to do my part, run a cookieless site, and save the hundreds of complaints I'd get if I did otherwise.  Given the fact that Germany and other nations are implementing legal responses to the privacy-abuse opportunity presented by the current cookie technology, one might think web programmers would take the issue more seriously.

Shalon Wood and Dirk Gomez raise some good points that nobody has addressed.  Everyone just talks about the wonderful cookie solution and how hard it is to do anything else.  There are good sites out there that don't use cookies.  All we're looking for is an open-source way to do the same.  Right now, OpenACS is the only game in town for those of us who must put up a community site in our spare time.  Is OpenACS really ready to write off all of Germany?

--jh--

Collapse
10: Response to Getting rid of cookies (response to 1)
Posted by Ben Adida on 09/09/00 02:38 AM
Joe, it's not that easy to build a non-cookie solution into the current OpenACS solution. There is a *lot* of legacy code that would make this task painfully difficult and time-taking. It is clear that you are unfamiliar with OpenACS internals. That is perfectly okay, and I'm happy to have people like you on board to discuss other perspectives.

What irks me, though, is that instead of asking questions, you are making assumptions. You assume that we are simply refusing to do this. You assume that it would be easy to do. You assume that since other sites have this feature, that OpenACS can and should have it, too.

Things aren't that way. I (and I expect others in the community) have no objection on principle to the non-cookie idea. It is simply that it would be a time-taking endeavor while more important tasks are on our list. Also, you claim that features of cookies can easily be duplicated as shown by the 1995 site I helped build, yet you do not know either system nor how such an add-on might affect the current OpenACS architecture! I am happy to help teach you how this stuff works, but I don't see you eager to find out.

At the end of the day, the OpenACS team has to prioritize. Refusing to use existing browser functionality in order to recreate a hacked-up version is not high on our list. We cannot spend time downgrading OpenACS to the lowest commond denominator while neglecting much needed features.

I want people like you on this community who can stir things up and offer new ideas or better ways of doing things. However, your contributions will be much more effective if you also try to learn and understand why things are the way they are. Until you do, I don't think it's too much to ask that you trust the decisions of more experienced developers.

Collapse
11: Response to Getting rid of cookies (response to 1)
Posted by Dave Bauer on 09/09/00 06:10 PM
If you are personally interested in having a configurable cookie setup in your browser, use Opera 4. It allows you to sepcify which servers you will aceept or reject cookies from. You can specify to remove all cookies from a particular server. It appears to be exactly what you are looking for. Hopefully Netscape and MS will emulate this in their browsers. I would be using Opera 100% except, it cannot handle ns_returnredirect redirects for ACS so it is useless to me in maintaining my OpenACS sites.
Collapse
12: C is for cookie... (response to 1)
Posted by Todd Gillespie on 09/09/00 06:13 PM
Joe Harrington said:
Whenever I enable cookies, I get a .netscape/cookies file full of doubleclick.com and others who have on several occasions been cited for using these cookies to build and sell consumer databases that are a gross violation of privacy. *You* may use cookies responsibly, but some others don't.
As a user, I recommend you block doubleclick and any other abusers. (There are some handy tools to filter them at your machine; I just killed them at the router). As a developer, you might want to lend a hand at Mozilla to add (or re-add) cookie filters to Mozilla (or Galeon, which runs rather than walks). As a web developer, if people are not using your service b/c of cookie fear, perhaps you should examine your 'pull' content. "Is it worth risking cookie danger?"

Until the "technology" of cookies includes sufficient control on the client end, your responsible use of cookies on your particular site (and I do laud you for it) doesn't protect us from abuse by others.
Let me see if I get this -- until someone hacks together a collaborated 'cookie blacklist', auto-import into browsers, and site-by-site filtering (already there).... the use of cookies on ACS doesn't protect us from doubleclick.com? I'm confused (did I miss that ACS module?) -- perhaps you could clarify.
Given the fact that Germany and other nations are implementing legal responses to the privacy-abuse opportunity presented by the current cookie technology,
What legal difference is there between privacy invasion by cookie or privacy invasion by session tracking via {URL manipulation, navigation tricks, etc}. Even if said laws specifically say 'session tracking via cookies' any judge worth his/her salt would rule session tracking by other means as being under the same law (more probably, strike the law as ambiguous; sending it back to the legislature to fix/expand it).

I'm not (yet) a web guru
How many gurus can a field have? Isn't guruship determined by rarity?

Collapse
13: Response to Getting rid of cookies (response to 1)
Posted by Janne Blomqvist on 09/11/00 12:38 PM
You don't need Opera to be able to decide which sites can set cookies for you. See the junkbuster homepage for a GPL:ed program that works as a proxy. As default junkbuster blocks all cookies, but you can put interesting cookie-depending sites like openacs.org in the config file so they work as usual. Then if you don't want to see banner ads, do a search on some search engine for "junkbuster blockfile", which makes junkbuster block all requests to sites in the blockfile (like *.doubleclick.com).
Collapse
14: Getting rid of cookies (& related kin) (response to 1)
Posted by matt wilkie on 09/12/00 01:42 AM
Junkbuster has already been mentioned. I've been using it on and off for about 18 months. On the whole it's quite reliable and configurable. You can block cookies (and ad images and other stuff) using regular expressions, on a site-by-site basis, and you can allow cookie information in but not out. Installation is fairly straightfoward and mostly painless. Maintenance (adding new sites/urls/images/cookies to block/allow) is slightly more troublesome but not by much.

For a quick and dirty solution, edit your 'hosts' file and add entries like this: 
127.0.0.1    www.doubleclick.net
127.0.0.1    ad.preferances.com
127.0.0.1    ad.doubleclick.com
etc...
note that some websites will be unaccessible using this method (though if you time slapping the [esc] button properly even these problematic sites can be perused).

I've also heard that simply making your cookies.txt file readonly will stop most of the potential abuse.

And finally Mozilla is coming along nicely. It's a fairly hefty download (~10mb for win32) and something of a memory pig with all the debug code still being loaded but still in a very usable state (I use Mozilla 30-40% of the time now). With Moz you can deny/allow images and cookies on a site by site basis, very handy.

Now about cookies in OpenACS: personally I gave up on (wholesale) blocking cookies about a year ago. For awhile I religiously emailed every webmaster/customer service rep to complain about their making cookie use mandatory, but it's just too tiring to keep up. In North America there are simply too many sites which are absolutely unusable without them. Even if OpenACS was retrofitted to avoid cookies it would only help those few (very few) sites which would use it.

Anyway, the proper place for privacy control is at the user's end; indeed, it's the only place where it's even possible.