Ask HN: What kinds of cookies are “required” for a website to function?
... apart from login cookies. Many sites which don't require you to login ask for permission to store cookies "required for the site to function" and don't let you refuse them. What exactly do these cookies do? Would appreciate answers from folks who are site devs for any such websites.
19 comments
[ 1.6 ms ] story [ 51.5 ms ] thread1: https://portswigger.net/web-security/csrf/tokens
It correctly suggests putting CSRF tokens in either hidden fields or custom request headers. If you're putting the token in to a cookie then you're persisting it for some length of time beyond the existence of the page, in which case you've broken your CSRF token mechanism because they're not supposed to persist across multiple requests. You should generate a new token for every request.
You could also handle this stateless without the session using encryption or HMAC, but then you need to manage secret keys and not screw up.
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...
Now, the technical choices that lead to those things may not have been the wisest but the general thinking is that:
- the site is less functional without those cookies so requiring them ensures a common baseline for all users,
- they are used internally for things that are directly related to what the user is here for, so they are in a somewhat different league than all the cross-site targeting cookies everyone is concerned about, so they are less harmful.
But the truth is that saving to and reading from cookies is not an absolute requirement of building websites.
Preferences like that should be part of the URL schema. Picking language as a good example, a site can use a path variable (eg the part of the page URL after the domain) to store that information. https://example.com/en/page.html, https://example.com/de/page.html, https://example.com/es/page.html, etc. Alternatively a site could use a subdomain for the same thing. There are many advantages to that approach, such as making it easier to route traffic to a local data center or leverage better edge caching for localized assets. It also means users can deep link straight to a page in their chosen language.
https://example.com/{en,fr}/page.html is indeed much better—and widely recommended, for that matter—but lots and lots of sites don't do that for one reason or another. If those sites use a cookie to store language choice, then it is IMO quite reasonable for the site operator to consider such a cookie as "required".
In other words, many things will not need cookies/scripts. If you do use the, ensure that they are fully documented, and that the documentation can be viewed without cookies/scripts/CSS enabled. This allows the user to know exactly what is being done, as well as the possibility to enable only the cookies they want, or to manually configure read-only cookies for preferences.
From what I remember, your IT department may muck it up, or you're using a shared computer at say a hostel and someone's set it and you don't know how to change it, etc.
Aside from that, most of your examples need a lot of foresight, work and knowledge to actually pull off.
Http login is really hard to make user friendly, and has no way to logout in a user friendly way; the user needs to be prompted for a password again and not enter it. An HTML form and cookies just works better.
Logout (and the duration that the login data is kept) is the responsibility of the user agent. Unfortunately, none that I know of provide the user any control over that.
Function how?
There are a lot of superfluous cookies because adding cookies is "best practice."
And frameworks make it easy.
And the added complexity makes programming mundane websites more interesting to the people condemned to doing so...inventing interesting problems makes people feel clever when cleverness is superfluous.
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
This enables the websites backend to know who is making the request for authentication/authorization purposes.