Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That sounds perfect. Login is the only legitimate use case for persistent cookies that I can think of.


Logins are a common enough use case that browsers should simply support it directly, and drop support for cookies entirely.

There's no reason we can't have sites set an auth token, and send that in under the Authorization header. And then when you want to sign out of a website, you can have a button for that in the browser. The tooling already exists in the HTTP standard, it's just that it's only widely used for server-server communication.


Wouldn't advertisers just use the auth token as a cookie then?


Bingo. "Auth Token" simply becomes "Session ID", and the backend then tracks anything it wants as part of the session.

I don't see much of a solution other than making it a matter of policy, eg. Microsoft's "P3P" header. Otherwise authentication credentials need to be supplied with every request. Not a session id or token as a cookie, but the actual username and password being supplied with every request. Basically the old http basic auth, but with a more modern system to replace it.

I understand the core idea behind the EU's desire, but the fact is that cookies are absolutely required for login sessions, and it's impossible to allow users to opt out. The EU doesn't understand the tech behind the laws they are trying to enforce, and this is where it leads to. Absurdity.


Yes. However, there are some upsides: having an auth token which from the perspective of the browser is limited to auth, makes it more explicit when the browser is passing an auth token to the site: if the browser shows a "Log out" button, then you're providing that auth token--if you didn't log in to a website and suddenly you have the option to log out, that's very obviously weird. Of the perhaps 10 sites I visit on a regular basis, I only even have logins for 3 (email, Reddit, HN) so other sites would be slightly hampered in tracking me.


Only if you're logged in and only to the first party server, though.


That requires separate opt-in consent according to GDPR.

GDPR is absolutely not about cookies, it's not about having private information but about uses of it. You may have a legitimate need to collect some data - that auth token for login purposes, the customer's address for delivery, etc. That's fine, it allows you to collect and use that data for that purpose. But it does not mean that you're automatically allowed to use that login token or delivery address you have on your servers for other purposes such as selling or giving it to third party advertisers.


I can think of several other reasons:

- A/B testing.

- Limiting the number of articles a non-paying user can read per month.

- Persisting form data and shopping cart info. (Not all sites require an account to order stuff from them.)

- Improving recommendations based on what someone has liked or viewed on the site.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: