[exceptione]

  In my view, HTTP/2.0 should kill Cookies as a concept,
  and replace it with a session/identity facility, which makes 
  it easier to do things right with HTTP/2.0 than with HTTP/1.1.

count me in. Cookies are a huge waste of bandwidth and freaking annoying here in Europe as you cannot visit a site anymore without being warned you are about to receive yet even more cookies.

[yahelc]

> Cookies are...freaking annoying here in Europe as you cannot visit a site anymore without being warned you are about to receive yet even more cookies.

Seems like the blame for that lies not with cookies themselves, but with the EU's cookie law.

[drostie]

At best that's a symptom.

Cookies are for session management; the central problem with cookies is that people feel that servers will treat certain sessions as ephemeral, but instead those servers track these people for a long-term creepy analysis. One connected problem is that many sites require cookies in order to show public content. Public-content sessions should be entirely ephemeral, meaning that you shouldn't need a cookie in the first place. (The New York Times offends in this regard egregiously and persistently.)

You can easily comply with the EU law by either placing the notice on the login page or else not storing cookies. This means that anybody who abuses cookies in the above way needs to be loud about it; "we're not giving you an ephemeral presence like you think!" -- which actually not only fixes this problem but also creates an incentive to not abuse cookies in this way.

I am not saying that we should abandon sessions entirely, but that it would be nice if the 'default' session treatment followed the rules that online banking uses: when the browser is closed, all sessions are done. If we did this then we'd want to include a 'persistent login' mechanism, which would take the form of an in-browser 'would you like to sign in?' dialogue accompanying a web site. This means that unlike current HTTP authentication, it would have to be somewhat asynchronous; you are shown the ephemeral version of the page while the browser itself requests you to confirm that you want to join your long-term session there. (I was originally going to recommend that the browser just handle a digital signature scheme, but of course that does not solve the 'logging on to Facebook from your sister's computer' problem easily. Hm.)

[emmett]

For advertisers this is a non-starter, because it prevents you from knowing the size of your audience. All sites would immediately begin requiring some form of "login" in your scenario in order to enable tracking again.

If you can't track uniques, you can't sell ads, and that's pretty much all there is to it. So there's huge incentive to undermine any scheme to prevent unique user tracking.

The solution is to somehow ban advertising, but that's biting off a bit more than simple user privacy.

[kenko]

"For advertisers this is a non-starter, because it prevents you from knowing the size of your audience. All sites would immediately begin requiring some form of "login" in your scenario in order to enable tracking again."

If this is really a non-starter for advertisers, then mandating it will effectively ban advertising, non?

Remember: your business model is not sacrosanct! Disruption!

[emmett]

I'm not arguing against banning advertising. Actually, I think that would be a fine idea.

Just recognize that unless you do ban advertising, the result of this change will not be what's intended. The intended result is that websites, in general, stop tracking anonymous users. Instead, it will result in every user being explicitly tracked.

The most important issue here is that the political feasibility of reducing tracking of anonymous users is equivalent to the political feasibility of banning advertising.

(I'm slightly overselling here -- in reality, a good amount of advertising of the "sponsorship" form would still work. But the impact would be large enough that most websites would force login as I describe rather than stop tracking people.)

[nine_k]

It will also kill most "free content" websites that live off the ads revenue. Are you ready for paywalls everywhere, even if subscription is 25 � / mo?

[lambda]

Your symbol comes out as a Unicode replacement character for me. What was it supposed to be?

[anonymfus]

To sell ads you don't need to show exact size of audience, estimation is enough as proven by TV.

[rlanday]

If you’re an Internet company trying to pull advertising dollars away from TV, one of your arguments is that you can do much better tracking. When you run a TV ad, everyone watching the show gets the same ad, and people watching different shows see the same ad a non-optimal number of times.

[emmett]

That's a very good point. This would definitely happen to some degree. But it would still hurt internet advertising a good deal not to be able to track uniques, to show you an ad only once per day, to count how many people have been shown an ad, etc. even if you could know about how many people were on the site.

The result would likely be tracking via login as I describe, rather than true anonymity.

[exceptione]

Well the law is implementend in an annoying fashion. For functional cookies there is no requirement to ask permisson. But many websites choose to block all content asking to permit them to place additional cookies for benefits, i.e. tracking cookies.

Like the author said:

  Cookies are, as the EU commision correctly noted, 
  fundamentally flawed, because they store potentially 
  sensitive information on whatever computer the user 
  happens  to use, and as a result of various abuses and
  incompetences, EU felt compelled to legislate a "notice 
  and announce" policy for HTTP-cookies.

[Bosence]

Oh yes, the regulation was rushed in by people not really sure what to do or what was happening.

Why it couldn't be a browser option, I have no idea.

[jimktrains2]

Isn't it already a browser option?

[rmc]

Yes. But the default browser options are "accept all cookies, without asking", which goes against the spirit of the law, and also the letter.

[andyhmltn]

Please correct me if I'm wrong, but wasn't that the UK's law? If it was, they seemed to backtrack on it and say that it's fine as long as you mention it in your site's TOS

[rmc]

It was an EU wide law. Each country implemented EU in similar but different ways.

[reidrac]

It is a EU Directive: https://en.wikipedia.org/wiki/Directive_(European_Union)

AFAIK the EU dictates the result, not the means. UK's first implementation of the e-Privacy Directive was unfortunate, but I don't think it means the directive was a bad idea.

[rmc]

An "EU Directive" is a law, it's decided on in the same democratic manner that (say) UK laws are decided on. It's like how in the UK there are "Acts of Parliament" (i.e. laws).

It's up to individual countries to implement the minimum, and likewise, each country will implement each one slightly different. The UK law and the EU Directive are basically the same, "It's illegal to do X, Y and Z unless you do W etc." There isn't really a mean/results differnce here.

[andyhmltn]

Thanks for that!

[solox3]

The EU "Cookie law" is not limited to cookies. The term used in regulation 6 is "storage", which includes at least localStorage, headers, and remotely hosted solutions (off the top of my head).

[DrJokepu]

Basically, I can guarantee that killing cookies would lead to 0% adoption of HTTP 2.0 forever, due to the same inertia that is holding Python 3 or IPv6 back. Doesn't matter if there's a better mechanism included that does the same job.

[takeda64]

Provide session support in HTTP and still cookies for backward compatibility. If the support works right, people will migrate themselves.

[exceptione]

…unless the EU forbids tracking and session cookies all together, but a ban on tracking cookies alone will be enough motivation already i guess.

[jessaustin]

I always thought that rfc2616 felt more "pure" since it didn't mention cookies. I mean, http was supposed to be stateless right?

[yalogin]

What is the alternative to cookies? What does he mean by session/identity facility?

[_delirium]

There's some discussion in this thread: http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/...

in short,

   the need for a Session header to replace the use of Cookies
   for basic session management

[cldr]

So is that just cookies by another name?

[Qantourisc]

Cookies with an expire of session and secure flag set: yes. But this should be more secure, and stored for 1 session implicitly.

[jimktrains2]

And in theory less data, right? a session ID doesn't need to store the kilobytes that cookies do.

[yalogin]

Why can't there be multiple sessions for different functionalities? I am not sure people are going to relinquish the cookie concept. All the sessions are doing is have the "cookies" transported as part of the HTTP message and not as a separate file (payload)