I was just playing with Google Chrome and reading about IE8.
What worries me is the new private modes, which don't store cookies.
I can really see that catching on. And this is a major problem, because it effectively is the end of cookies.
Many of my web sites rely on cookies for advanced features. Although not stricly essential, it is a real pain that many of those nice feature will be lost.

What's wrong with stroring session info server side then? Tracking users I.Ps will allow you to create "cookies" as long as a users I.P address is static.

IPs change.

The private modes don't store cookies, history or cached content. I'm sure session cookies are still retained in memory but don't count on storing session to session preferences in cookie values. It's interesting that this attempt to increase anonymity could tend to actually reduce it.

Private modes are usually intended for public computers, where you might not want the next user to see what you were just doing. There's no reason regular home users would browse in privacy mode. So cookies are not dead.

Private modes are usually intended for public computers, where you might not want the next user to see what you were just doing. There's no reason regular home users would browse in privacy mode. So cookies are not dead

I completely disagree! Most computer users are very paranoid about other people accessing their PC and seeing what they have been up to. Especially after visiting the odd porn site "by accident" ( Don't tell me that the average guy never visits such a site! ). I mean lets face it, if people are not concerned about private mode, why are all the browsers adding that facility? If private modes are made simple to select, then users will select them by default.

Like many other security and privacy features and guidelines, I predict that most users will find these options very annoying in a short time and will tend to use them sparingly rather than as the default.

They will quickly discover that they cannot remain logged in to all their favourite forums, eBay, and every other site that uses them for session management.

The only way this feature will be useful is if it can be overridden by specific site preferences as in Opera. That way the security conscious can know that cookies/javascript/iframes/whatever are implicitly disabled on any new site they visit until otherwise desired.

Cheers,
D.

IPs change.

Yes if you use a service provider like AOL who use dynamic I.P addresses but a lot of broadband connections (at least here in the U.K) use static I.Ps.

In the US that's always an extra cost option, although the DHCP leases may be fairly long.

The death of the cookies started long ago....this is just another step. Most people have software to scan and clear cookies. All anti viruses show cookies as possible threats. Netizens make it a point to get into the browser settings and disable cookies. Websites should find a way to perform well without using cookies.

Aside from tracking cookies that really only help advertising companies target their advertisements for your tastes, I see no noteworthy threat to cookies. I don't even consider that significant.

Set your browser to block any and all 3rd party cookies (not from the originating domain) or to only accept session cookies. Case closed.

Cheers,
D.

The only noteworthy threat is from idiot programmers that store sensitive information in the cookies since most browsers are vulnerable to attacks that can grab cached (non-session) cookies. Of course these porn-surfing modes aren't designed to address that kind of security at all.

The use of session cookies is not under threat as the alternative (placing the information in the query string) is less secure.

First party cookies are only ever needed where you want to save information between sessions - decent browsers have given the ability to selectively decide which to allow and which not for several years now.

Most browsers stopped accepting third party cookies unless you specifically enabled them some years ago.

The impact of the new privacy modes in IE8, Chrome etc when those browsers are eventually released will be on what remains in the cache etc. The sorts of uses that mode will have will not impact on cookies at all since in the sorts of situations where cookies are needed you will not be able to use that mode.

The use of session cookies is not under threat as the alternative (placing the information in the query string) is less secure


Nobody would put sensitive information in the query string; what one may do is put a session ID in the query string and store all the session data server side (matched against I.P address for retrieving said information) which prevents people being able to glance at the info in the address bar, however, if you are dealing with any real degree of sensitive information any transaction between client and server should be done over HTTPS anyway.

Regards

Carl