[ThePowerOfFuet]

> If you're running a complex modern site and decide to do away with cookie banners, you generally need to pair this with browser automation that crawls your site and verifies that you (and your dependencies) are in fact not setting any cookies.

Correction: any cookies which are not technically required for the basic operation of the site (such as a shopping cart ID).

[MuffinFlavored]

I'm out of the loop on the latest and greatest web technologies:

if I'm a shopping cart website, how do I keep track of you as a user/session enough to identify you and pair you to the contents of your cart on my backend without a cookie?

Cramming a sessionId into localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?

[jefftk]

Using cookies or other client-side storage for a shopping cart doesn't require a cookie banner as long as you're careful to use the minimum practical duration. See section 2.3 of https://ec.europa.eu/justice/article-29/documentation/opinio...

If you want to persist the cart for longer than the current session or a few hours, though, you need consent.

[dspillett]

The post you were replying to (unless it was edited after your reply) specifically mentioned a shopping cart cookie as one that could be classed as strictly necessary. There are other options but they have issues (tracking via query string or form values doesn't work well with multiple tabs open for instance). The cart ID can be the session ID too for as long as it is needed.

Of course they don't have to be stored, in fact they shouldn't be stored. They are session level naturally so belong in session level cookies not more permanent storage.

Also, while session tokens in cookies are usually fine to be defined as strictly essential for the main site, they are generally not for 3rd party cookies.

> localStorage/sessionStorage seems kind of like the same thing? Am I missing somehting?

No, those are more often used in equivalent ways to cookies though they don't do exactly the same job, extra logic is needed if your server-side needs to access the stored information. Cookie values are sent to the web server(s) with every request (except where certain flags are set), data in session/local storage needs to be explicitly read out and sent on in GET or POST parameters when needed.

[braiamp]

> how do I keep track of you as a user/session enough to identify you and pair you to the contents of your cart on my backend without a cookie?

That would fall on necessary cookies. If my cart is empty, you don't need to know what's in my cart.

[pmontra]

Before cookies we used session ids in the query string of the URLs. Maybe you noticed some URL with a JSESSIONID argument in the URL. Same thing.

Those are worse than cookies for a number of reasons but they are functionally equivalent.

Anyway, there is nothing wrong with cookies in general. Privacy-wise the problem are cookies used for tracking. Any other technology would have the same problems and would need an explicit consent from the user, if you are subject to GDPR and similar legislation.

[johnkpaul]

A link to the iOS App. :-D