Forum OpenACS Q&A: Response to Getting rid of cookies

Posted by Ben Adida on
Joe, I take issue with your saying we are "short-sighted" for using cookies. Having been involved in building database-backed web sites for over 5 years, I thin I have some understanding of what is and isn't necessary or risky in building privacy-aware web sites.

Back in 1995, I helped build a web site, with *no* cookies, that allowed us to ingeniously track sessions, figure out which users were which, such that I was able to tell a friend "you visited the site on August 8th and stayed for 10 minutes, and came back on August 25th and stayed for 15 minutes." No cookies. Just programming, URL manipulations and tricks of navigation. The problem of privacy is in *no way* related to one particular technology.

Cookies are a perfectly fine technology which, when used correctly (the way ACS does), does not engender *any* additional privacy concerns. The problem is that the press has latched on to the idea that "using cookies violates your privacy." In fact, unless you check the box "remember my login" in ACS/OpenACS, your cookie will only last the duration of your session, which inherently means that you are no more at risk than with URL manipulations.

As for using the SSL session key as a unique identifier, my crypto background forces me to cringe at the thought that a session key would ever be visible to any part of the application. That is *not* a solution.

At the end of the day, if you're not using cookies on the web today, you are at a serious disadvantage. If you're of the mindset that you should never use cookies because of privacy concerns, you might as well not use the web at all, because your privacy is being violated, cookies or no cookies. The simple concept of tracking a session (using cookies or any other solution) opens up the door to privacy violations. If you don't want your session tracked, then you're in for a serious 1994 web-browsing experience.

I'm happy to hear complaints, suggestions, and anything else. However, the cookie-free ACS is not a priority today, as it solves no significant problem. If it is a priority for you, and you code up a clean, decent, unintrusive solution to it, we will be more than happy to include it in the distribution. However, calling us "short-sighted" isn't really going to get you much sympathy.