Browsers, Cookies and Privacy (part 4)

Below I have screen grabs of three of the most used browsers on a PC, showing the options available to control how the browsers interact with cookies.

Internet Explorer 9.05

Firefox 10.0.2

Chrome 17.0.963

  

The common features amongst the latest versions of browsers are

• Block all cookies
• Block third party cookies
• Allow exceptions

However the different ways of implementing the controls will make it difficult for a web site owner to give instructions on how to handle consent for cookies.

Ideally a web user needs a more flexible approach to controlling cookies than the blanket controls based on options of either ignoring all cookies, ignoring 3rd party cookies or accept all cookies. The browsers above do offer some additional features of which, the exceptions option is probably the most important in where a blanket ban on cookies can be overridden on selected web sites. A good feature that a lot of browsers are now implementing is allowing session variables which are typically associated with the management of web applications but only exists for the duration of the visit. An additional handy feature is the ability of some browsers to delete all cookies as it exits, thus turning all the cookies into session cookies.

The ability to accept only session cookies or turn all cookies into session cookies by forcing the deletion of them is of fundamentally important with a modern dynamic web application where session management cookies allow the web site to function as the user expects it to. With the new regulation a lot of web sites are being forced to offer two alternatives, consent to cookies or block all cookies as they can't rely on user’s configuring the browser settings. In fact assuming consent has been given as the browser accepts cookies has been specially ruled out and it is written a site must get consent before writing a cookie to the client browser.

A user of a web site is now being forced into either accepting all cookies as they want the functionality of the web application, or block the functionality of the web site as they don't want the functionality of some of the cookies. Although the regulations say consent for strictly necessary cookies is not required, the cookie specification and browser support are insufficient to allow acceptance of strictly necessary cookies and block all other cookies, unless the web site uses session only cookies for the strictly necessary functionality and uses non-session cookies for all uses and even then the browsers will need to be correctly set.

This series of blogs will end with a look at the possible options on meeting the regulations and suggestions on a way forward.