Sweden May Mandate Opt-in For Cookie Transfer

Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."

Great move, Sweden.

[tetromino]

Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins, habituate Swedish computer users to clicking on the "yes, allow" button, and make foreign companies face trial in Swedish courts for using standard web technologies, while doing nothing about advertisers' ability to track users without permission [eff.org]!

Re:A breakfest

[Anonymous Coward]

Man, Break Fest 2011 is gonna be a total bummer.

You must wait a little bit before using this resource; please try again later.

Re:EU directive

[jgrahn]

This is of coursed based on an EU directive [europa.eu]. Not sure why Sweden was singled out.

Because we plan to kidnap Julian Assange and lose him on a small island in the Baltic sea where the only female inhabitants are sheep?

Seriously, it might be because we have decent media coverage of these things. This is just one in a series of daft technological decisions coming from the EU, and journalists in .se are used to covering them. (And Slashdot readers in .se are used to submitting the results here.)

And for websites that issue up to 20 cookies?

[amn108]

I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.

Great.

[Anonymous Coward]

So as a user, am i going to have to click a whole bunch of dialogs every time I want to log in to a website, just to say that I give them permission to give me a cookie which allows me to log in to the website?

Ugh - another misguided internet law.

Re:Great move, Sweden.

[indeterminator]

You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client

There are perfectly valid reasons (not involving cross-site tracking) to use more than one cookie. If a session identifying cookie is used to identify an user account and grant privileges, it's usually a good idea to make that cookie disappear when the user closes his browser (i.e. a 'session' cookie). However, the user may have additional preferences on the site which are not personally identifiable, but for which it makes sense to store and use the setting even when the user is not logged in, for example, language selection on multilingual sites. Trusting the client is also a non-issue for things that are mapped to a single item from a set of possible choices (as long as the code implementing the parsing is reasonably sane).

(And for the Accept-Language header, try explaining to a client how they can change it. Or how to install a browser where they actually can change it.)

And while we're on the subject, it takes only fractionally longer for most users to make a POST request than to just do an HTTP GET, so unless your site is stupid and slow or your users are then you don't need ANY cookies. A quality CMS will degrade. If yours doesn't then it isn't.

Clicking on a link in a browser will cause a HTTP GET. Maintaining a session with URL parameters makes the URLs much less user friendly, and opens up a possibility for trivial social engineering exploits (e.g. lol paste your url here I'll have a look!).