ADPC icon indicating copy to clipboard operation
ADPC copied to clipboard
verified publisher icon Data-Protection-Control

Backwards compatability, cookies, and consent

Open robrwo opened this issue 4 years ago • 5 comments

The way session handling in most websites work is through cookies.

  1. User-agent (UA) sends request to website
  2. Web server (WS) sends cookie with response
  3. UA accepts cookie
  4. UA returns cookie in next request.
  5. WS validates cookie as being in same session as no. 1

See also some discussion in #11, particular the assumption that the web server will not send a cookie until it receives consent in an ADC header, something like 6. UA passes ADPC consent request to user and receives permission to use cookies 7. UA includes ADC headers giving consent 8. WS responds with a cookie

The problem is that user agents which do not support ADPC will never issue consent (7), so websites that require cookies for some purposes will not work with older user agents.

I think the workaround for this is for web servers to not send cookies if they request has a "ADC: withdraw=*" header but send cookies if the the request consents to it. User agents would pass a withdraw header the first time they connect to a webserver.

robrwo avatar Jun 18 '21 12:06 robrwo

They would not have to place cookies even if the ADPC is not present (because ePrivacy)

michael-oneill avatar Jun 18 '21 16:06 michael-oneill

They would not have to place cookies even if the ADPC is not present (because ePrivacy)

Who is "they"? The User-Agent? The web server?

robrwo avatar Jun 21 '21 15:06 robrwo

Sorry, I was too terse. I meant the web server (or the browser context of the web server). Only cookies that are solely required for the underlying communications, or those strictly necessary to fulfil a user request, can be placed on first HTTP request. The url might signal a user request in some circumstances, and there may be a requirement for a cookie to help load ballancing (though I have never seen one), but every other case there should be nothing in the Set-Cookie header.

michael-oneill avatar Jun 22 '21 11:06 michael-oneill

Only cookies that are solely required for the underlying communications, or those strictly necessary to fulfil a user request, can be placed on first HTTP request.

That's what I am talking about.

robrwo avatar Jun 22 '21 14:06 robrwo

The problem is that user agents which do not support ADPC will never issue consent (7), so websites that require cookies for some purposes will not work with older user agents.

As discussed in #11, if websites “require cookies for some purposes”, they either do not need to ask for consent, or they need to ask consent whether or not the user agent supports ADPC. For older user agents (not supporting ADPC), websites could fall back to using a classical consent request (‘cookie banner’). As Mike said, this makes no difference for the first request and response. Does this resolve the issue?

gb-noyb avatar Jul 08 '21 11:07 gb-noyb