Cookies. Cookies. Cookies. Use our Cookies or else

Subject to individual browser implementation … a session cookie is not stored on your hard drive (and a session cookie is all that is ever needed).

Unless you configure otherwise, complete web pages are downloaded to your hard drive, as you browse.

If you are particularly concerned, do your web browsing from a computer that boots from a read-only medium and has a RAM disk for anything that any software thinks needs to be written to disk (and hence everything written to ‘disk’ will be thrown away when you reboot).

In other words, if you don’t like things being written to your disk, don’t have a writeable disk.

You can probably get the same effect, but with more convenience, by running your browser in a VM.

Damn, we’re that easy to spot, huh? You’re right, of course. Just like everyone else who’s ever called you out on your ignorance, or who’s ever disagreed with you online, I am part of a vast (and obviously evil) conspiracy against you.

But if I have to be absolutely honest about it, you make it a pretty frustrating job, you know? Every time we disagree with you online, you masterfully counter with “Hah! Then you must be part of the conspiracy against me!” or something along those lines. And it’s really hard for us to do our jobs if you keep exposing us with such great ease. I mean, it’s bad enough that you’re able to come up with such accurate theories. Which shouldn’t surprise anyone really, what with them being built on a rock-solid base of speculation and total unfamiliarity with the subject. But seeing through our ruse time and time again? You make us look like a bunch of bumbling fools!

I take my hat off to you, dear sir. You are a worthier opponent than our intelligence gave you credit for. We may have to step up our efforts against you. Either way, it seems you’ve given me something to brood over in my secret island lair.

Dont care for this sort of discussion. I suggest we stick to the point, that being ’ Why do cookies need to be stored on our hard drives’ Today there is so much computer memory available that storing cookies on hard drives is not justifiable. Perhaps when computers had only 1M of memory it was necessary, but no longer.

EXACTLY so! No dispute there. But cookies are still often stored on our hard drives.

The convenience of not having to re-identify every time you open the browser and go to a site you frequent often. It’s not a requirement, it’s a convenience. Most people value that convenience for normal browsing. Most browser makers acknowledge that most people value convenience and enable that by default.

If only stored in ram this identity cannot persist beyond the current browser session. Convenience, Privacy and security are a balancing act. There is no one size fits all solution.

HOORAY and thank you. Yes the convenience is what is offered. However I am a bit paranoid about security. I believe the severs ALREADY know MORE about you than you know yourself.
I believe you should identify yourself, AND WHO DOES NOT ALREADY DO SO!!! via your google facebook youtube accounts etc etc so the servers ALREADY KNOW YOU…
Again the ONLY reason to have cookies on the clients hard drive is to compromise privacy and security.

to add to this

prtscr-cia-triad-sec-plus1944×1024 105 KB

Yes, thank you @jrial, as this is for my understanding very important note! Besides, recently I’ve heard on local radio broadcast this thread “Use our Cookies or else” related news and therefore sharing link to “Cookie Consent II” decision.

Not just offered, provided.

No. The primary reason is convenience. The side effect of convenience is degraded privacy/security. Also you just acknowledged that convenience was offered so compromising privacy/security can’t be the only reason by your own admission…

Are you really serious that convenience for the client is the reason why web sites insist that cookies be accepted? I have bought stuff off ebay where I am asked to log on by my google or facebook account and NOT EVEN HAVE TO TYPE IN MY CREDIT CARD NUMBER. Is it convenience for the CLIENT or convenience for the SERVER? The servers can read not only their own cookies but presumably EVERY cookie from every site you visited. Someone mentioned INTEGRITY, are you really saying that we simply need to TRUST the servers to do the right thing? That is the MOST LUDICROUS way to implement client security. Web security is laughable. I have third party Firewalls, VPN, Virus scanners, program protection, encrypted data vaults. The browsers and OS that are offered today are so security poor that I am forced to BUY and TRUST the third party software to do the right thing. After all that extra software I have the web servers STILL INSIST, IT IS NOT OPTIONAL!!! that I accept their cookies otherwise I cannot use their website. This insistence that the cookies be downloaded to my PC compromises all the protection software I have.

Once I would have made the argument, difference that Cookies, themselves, are a matter of privacy, not my personal security.

If one runs Firefox with No Script, DuckDuckgo privacy extension, Privacy Badger, I am impressed that a lot other things are going on with Cookies. Some websites set a link to FaceBook, Twitter, Double Click. Tracking Cookies. Not doubt the cookie will try to stay on my computer and see where I go after I leave the first website.

It is the methodology of how Cookies get installed that matters. One, even if I give permission, it is a demand that I give permission, all the power on my using a site is taken from me. A lot of Malware installs on my computer as a ‘Drive By’ Install.

In my own house, I have the prerogative to keep out people I think are harmful to me, or who want to steal from me. The privilege we allow any website is to install Software, on my computer, that I do not know the purpose of.

The US Air Force protects it Fighter Plane by layers of security. You just don’t walk up to a fighter jet and climb in the cockpit and take off.

On one hand, I don’t want to limit my points to how a bit of software, Information gathering tool, Malware, gets onto my computer. Be it a Cookie that is described to me as being in my interest. My point is that nearly all of these require that the browser allow extraordinary access and opportunity to exploit me. Often just by my going to a front webpage of a site.

Me being exploited, is wrong.

I do not want to distinguish between whether the information is being gathered is being gathered on my OS/hard drive versus by some server somewhere. It is still wrong. I can not be protected if it happens anywhere.

Having a supposed mirror software tools, like antivirus, or software like No Script is not what I would consider a solution. I am very well aware that one can hardly navigate the internet anymore without permitting scripts to do whatever they want.

So yes, to prevent me being exploited by spyware, malware I have to block the methodology of how cookies work. Someone might write a bit of code for browsers that allows only some functions of benign cookies to do things like allow auto login, and so on. but once we open the door for a supposedly benign working cookie, we have allowed malware in as well.

So yeah. Put me down as a whiner that cookies are evil.

Just because someone finds a way to exploit the side effect doesn’t mean it isn’t a side effect. As there’s yet to be a proposal that results in equal convenience while increasing security I’m not really sure what you’re expecting.

There has been several solutions presented for the individual to sacrifice convenience for security/privacy.

Also requiring you use alternate identity providers is independent of cookies and is a separate issue that has been discussed in another thread. Also eBay does not Require you use Facebook/Google for identity, they provide it as an option.

Also I’m not saying that all servers are created equal (so no I am not saying to blindly trust all servers). Some things I appreciate the convenience the cookies offer and am willing to sacrifice some privacy for; others, not so much. Making decisions on an individual basis is much more effective than trying to impose your will on everything.

Part of having a secure system is having access. If you make the system so secure people aren’t willing to use it then it is useless. There is room for improvement with web browsing and Purism does have that as a goal, I think realistically the balance is to have the cookies each sandboxed so that each site only has access to its own cookies as that would allow session persistence for those whom desire it without providing cross site information leakage.

There are OS’s and browsers that don’t store anything locally, so your absolute statement that all OS’s and browsers are so security poor is a fallacy.

Perhaps re-reading this thread with the intent to understand instead of the intent to respond would help you find that you have been provided both the reasons for why cookies are at the state that they are as well as means to avoid them ever being written to disk.

and there it is folks …

“You can’t fight in here – it’s the WAR ROOM!”

One of the best movies of all time.

You ask what I want.

I want the ability to say NO to the question ‘Will you accept cookies?’ and still be able to use the web site. The web site has the option to keep the cookie in RAM. Why STOP me from access to the site just because I wont download the cookie to my hard drive. If it means I need to relog in next time I access the site , well that is exactly how I expect the site to work.

Also you say there are browsers and OS that are more secure. I have Firefox and run UBUNTU as well as Win7. However I suggest the average person has little idea how to distinguish between the more or the less secure browsers and OSs. I suggest that cookies are at the state they are because of historical use when security and privacy hardly mattered. I have been hit a number of times where my only recourse was to dump the PC in the trash and buy a new PC, even though I had virus protection. The first time was when I purchased a poker card game. I have never purchased any games since. The next time was when I responded to an email regarding blood pressure, yes I am ill. The next time I responded to an email on how to improve my golf. I am so careful now to not respond to junk mail but still I occasionally click on something I should not have, by sheer accident.

Regarding Ebay. I used to sign out of my Google email after every time I used it. Try to sign out of Gmail on your mobile phone. You cannot , you practically need to uninstall Gmail. I am not sure how Ebay works but I used my phone to purchase something and Ebay knew me from my Gmail signon.

That is not supposed to be the case.

If that were the case, it would be a very serious security flaw.

From time to time there have been exploits where cookies get stolen. Bugs do happen.

Not on my hard drive.

Session only.

I choose privacy and security over convenience. I understand that other people will make other choices.

Not really.

The web site has the option to keep the cookie in your RAM. The web site does not have the option to keep the cookie in its RAM - as an alternative to keeping the cookie in your RAM. The web site will of course also keep the cookie in its RAM (otherwise the cookie is useless).

If the web site asks you to keep the cookie on your disk and you say “no” and instead keep it only in your RAM (not on your disk), the web site can’t tell the difference. So if you can’t do this then the problem is at your end (in the browser), not in the web site.

If you want to make the point that: “I should be able to use web sites without any cookies at all” then

a) that is not an unreasonable point of view but you will have to convince many governments of this (but governments are part of the problem, not part of the solution, so best of luck with that), and

b) that will preclude your use of many many web sites - for example, you would paradoxically not be able to post to this forum without cookies (but you could still read other people’s posts without cookies).

Regarding the first point, I think everyone can see that the situation in Europe regarding cookies is pointless. You end up with: zillions of web sites changed in order to put in confirmation dialog boxes, zillions of people all around the world have to click through the dialog box, no fundamental change to anything.

unless the server would be using a RAM-disk ONLY with the non-volatile media there only for back-up/other-things … they all have UPSes and they are much more stable and reliable than normal desktop/workstation computers are.

also servers would benefit tremendously from a RAM-disk in terms of bandwidth and besides they have a LOT of RAM (most have 256 gb ram at least while some go up to 1 TB so space is a non-factor)

not to mention ECC …

It wasn’t clear whether @frank was talking about the client end or the server end. I didn’t include a detailed discussion of what happens at the server end because once some information is at the server end, you simply don’t control it and nor, for cookies, is it clear that you even should control it.

Yes I meant in my RAM. Sorry to not be specific.