Sentinel
Premium
join:2001-02-07
Florida
| IE6 does not handle cookies the same
I just tried IE6 and the first thing I noticed is that it does not allow you to block cookies from a website that is in your trusted sites list.
I liked being able to not accept permanent cookies from anybody but I did allow session only cookies from trusted sites. I blocked all cookies from everyone else.
Now you can not accept session only cookies and deny the rest from trusted sites zone.
Anyone find a workaround to this? Or hopefully I am wrong.
--
~AL~ |
|
CNZ
Schnook's Kiwi
Premium
join:2001-07-07
Kakanui, NZ
|  You are *not* wrong.....you've just taken a little longer than the rest of us to find out!
Have a look at this thread, which by the way has been going for over two weeks now, and is on it's ninth page....just some indication of how complicated and not-up-front MS's new "Privacy Policy" really is!
»IE6 and Cookies
It will take you a while to get through it all, but if you are in the least bit interested in how to set up your IE6 security zones/privacy settings, you will stick with it till the bitter end. Enjoy!
--
CNZ |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Sentinel
No. The new cookie management features are a step backwards in configurability, even if they're also a step forward in the understanding of user concerns. They don't, however, seem able to grasp that visiting a site doesn't equal trusting it. The zone concept was inspired... the cookie management implementation just undermines the whole concept of configurable zone based trust completely.
I give them credit for recognizing the difference between first and third party cookies, and for recognizing the relative benign nature of session only cookies, but I can't believe that they took the control functions out of the zones and made them slider based package deals to boot. All that fanfare... for this? Just almost ensures that a third party filter will be the only effective way of controling cookies effectively and simultaneously maintaining full "browsability" at all of our sites, many of which simply merit different levels of trust. Great concept. Lousy implementation. Really lousy. But, at least, the idea is good... maybe next release? If they don't REALLY screw it up in "upgrade" (I suppose saying "it's a real crud job you've made of it, but it works, for what it does do" can sometimes be construed as high praise, wherever the MS "initial feature release implementation" track record's concerned!  ).
--
Let us therefore brace ourselves to our duties, and so bear ourselves that if the British Empire and its Commonwealth last for a thousand years, men will still say, 'This was their finest hour.' |
|
Sentinel
Premium
join:2001-02-07
Florida
| reply to CNZ
Holy cow! That is some thread. Thank you for pointing me to it but there is no way I could read all of that and understand it. I tried to skim it but I got lost in the technical details. My hat is off to those brave souls in that thread who are doing all that research on this issue.
The bottom line of that thread seems to be that there is no way to do what I want to do in IE6. Am I correct?
What I want to do is...
1. Refuse all permanent cookies in all zones from everybody.
2. Accept session only cookies ONLY from those sites in my Trusted Sites Zone.
This way I have no cookies stored on my machine and the few cookies from sites that I do allow cookies from are gone when I close my browser and clear my cache.
They should start a quick abbreviated version of that thread that is the bottom line or sum total of what they have found in all that work that they have done for the rest of us great unwashed.
--
~AL~ |
|
CNZ
Schnook's Kiwi
Premium
join:2001-07-07
Kakanui, NZ
|  Don't worry! Much of the technical stuff in that thread is way above my head as well, but I am surprising myself, how much I am picking up along the way. I would suggest that you repost this question at the end of that thread and I am sure one of the two main "researchers" will help you out better than I can.
Currently, the way IE6 is set up, Cookies are enabled by default in your Trusted Zone. You are able to get around this if you want by importing a privacy file of your own, but *this* particular area is *not* something I understand....yet! Put "attention R2" at the top of your post over there and he will be there to help you in no time!
--
CNZ |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Sentinel
Al, I do intend to put out a summary thread. But until then, the only way to be that specific is to use what MS calls an "XML Import file" to control cookies.
To make this, you need to decide exactly how you want cookies handled in both the Internet and Trusted sites zones, and I can make you an Import file that will do exactly as you wish.
[text was edited by author 2001-09-19 00:01:48] |
|
eburger68
Premium,MVM
join:2001-04-28
| R2:
Didn't take long for someone to mosey along looking for more control over the Trusted zone, did it? You were correct about the need for such options in IE6 right from the beginning.
This is also precisely the reason I suggested putting together a menu of XML Import files. When I can find some time (probably not until the weekend, unfortunately), I'll try to throw together a few and get them up on the web.
Best,
Eric L. Howes |
|
CNZ
Schnook's Kiwi
Premium
join:2001-07-07
Kakanui, NZ
| R2,
Would an import file work with my IE Zone Editor "Custom zone"? That could be one way to set that zone up with cookie handling the way I want it?
Eburger68,
That would be a great idea for those of us who are not clever enough to do it ourselves! Many thanks to you both again for all the time you are putting into this. You should be on M$'s payroll.....doing their dirty work for them!
--
CNZ |
|
Sentinel
Premium
join:2001-02-07
Florida
| reply to R2
R2,
You da man! If you could do that for me I would be in your debt.
What I want to try to do is what I had in good ol' IE5.5 SP2. This is exactly how I want cookies handled and I think that a few others may have handled their cookies this way as well as me...
1. Refuse all permanent cookies in all zones from everybody. I don't even want to accept cookies from the Trusted Zone!
2. Accept "session only" cookies ONLY from those sites in my Trusted Sites Zone.
By doing the above I have no cookies stored on my machine ever. And the few cookies I get from sites that I do allow cookies from, are gone when I close my browser because I have my browser set to clear my internet cache everytime I close my browser.
I don't mind "trusted sites" slipping me a cookie while I am surfing in order to use DSLR or a shopping cart thing to order something; but I see no legit reason why a company needs to give me a permanent cookie ever. I don't mind typing my password for places like DSLR once each session.
Hope this makes sense. Others who use the same cookie concept will benefit from this xml import file as well. Thank you again!
--
~AL~ |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to CNZ
Eric - I have yet to get back to you after your last post in the monster thread. I needed a break from cookies for awhile!!
I have read your updated page and I think it is superb. It reads like the definitive guide to IE6 and Cookies. There is NO place else on the Internet where these options are evaluated side-by-side. If anyone wants to better understand their options for Cookie Control in IE6, I highly recommend reading this page.
I will not add any more to that large thread, but maybe some time next week I would like to start a thread that summarizes the findings. The single most important issue to me is the fact that the 'Privacy Slider' offers you no real choices. We did not test this, but from our results it is obvious to figure this out. More on this later...
Yes, it would be nice to create several Import files for people to use. If you used the one I posted, you will note one problem -- DSLR is in my Trusted zone, but since DSLR does not have a Compact Policy, the cookie is not stored. So every time I visit, I have to sign in. That can be overcome by changing the NoPolicyDefault to "Leash" (forceFirstParty), or by adding DSLR to an MSIESiteRules element. This can only be done with an Import File.
Al - Thank you for coming along and realizing that just because a site is in your Trusted zone, it does NOT mean you want it to dump third-party cookies on to you!! I really do not know where Microsoft's head was on this. OK, they DO give you the option to create an Import file, but c'mon! That is simply not in the realm of the average user. They have made it far more challenging than necessary.
To create an Import file specifically for you, you need to make the following selections:
Internet Zone
First Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action for Session Cookies:
( )Treat just like above
( )Always accept
Third Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action for Session Cookies:
( )Treat just like above
( )Always accept
Trusted sites Zone
First Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action for Session Cookies:
( )Treat just like above
( )Always accept
Third Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
( )block
Action for Session Cookies:
( )Treat just like above
( )Always accept
Kinda complicated, huh?
CNZ - sadly, I have not yet figured out exactly how the custom zones will work. I have a really good guess on how to do this, but I have not yet tested it. Basically, you will likely need to set up your Internet zone EXACTLY how you want your custom zone. You may have to use an Import file to do this. Once your Internet zone is set up how you want it, simply copy EVERYTHING in that zone key -- including the Privacy GUID's -- into your custom zone.
To do that, you need to EXport the key, modify the necessary items (the key number, the DisplayName, the Description, etc.), and then re-import that back into the registry.
By the way, the creator of IE Zone Editor has been posting here and he has been trying to convince MS of the problem IE6 has with custom zones.
_________________________________________________
Al - you snuck your post in there while I was typing. I'll read it now.
[text was edited by author 2001-09-19 16:20:37] |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to Sentinel
Al, what you want to consider is the option that takes a "permanent' cookies and FORCES it to not be permanent. This is actually quite cool and it works well.
Some sites want you to have a permanent cookies written before you can use them. Well, they THINK you have accepted the cookie -- and in a sense you have. However, the cookies is NEVER written to your disk -- it has been secretly forced into being a session cookie without the site knowing this. I really like this option; it gives you incredible control. That choice is called "Downgrading".
You may want to think about "Leashing" as well. That takes a cookie and limits it's access to first-party only. It is not quite as secure, but that is where the real privacy risk is. When cookies are given free access in third-party context, that is where real "user profiling" can occur.
[text was edited by author 2001-09-19 16:21:43] |
|
Sentinel
Premium
join:2001-02-07
Florida
| R2, here you go. I guess you are asking me to fill this in and then yu can tell me how to do what I want to do; right? Yes, downgrading is exactly what I would like to do. However I can do it so that all I accept is session only cookies and olny from sites in my trusted zone. That would be fine for me. I would be happy as a clam with IE6 if I could do that.
Internet Zone
First Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
(X)block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
(X)block
Action for Session Cookies:
(X)Treat just like above
( )Always accept
Third Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
(X)block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
( )downgrade
(X)block
Action for Session Cookies:
(X)Treat just like above
( )Always accept
Trusted sites Zone
First Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
(X)downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
(X)downgrade
( )block
Action for Session Cookies:
( )Treat just like above
(X)Always accept
Third Party Cookies
Action if NO Compact Policy
( )accept
( )prompt
( )leash
(X)downgrade
( )block
Action if there is a Compact Policy
( )accept
( )prompt
( )leash
(X)downgrade
( )block
Action for Session Cookies:
(X)Treat just like above
( )Always accept
At least the above is what I think I am trying to do.
--
~AL~ |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| Exactly. Attached is the .xml file that you can use. Below is the text version of it.
NOTE: I would suggest ONE change in your file. I would BLOCK third-party cookies in your Trusted sites. These are USUALLY advertiser's cookies anyway, so their usefulness to you is very limited.
To do that, just change this line in the "trustedSites" section:
<thirdParty noPolicyDefault="forceSession" noRuleDefault="forceSession" alwaysAllowSession="yes">
To this:
<thirdParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">
__________________________________________
To use this file, simply Open the Privacy tab and click the Import button. Then find and select this file. Give it a trial run and let us know how it worked.
Cheers.
__________________________________________
Here is the text contents of the attached file:
<MSIEPrivacy>
<MSIEPrivacySettings formatVersion="6">
<p3pCookiePolicy zone="internet">
<firstParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">
</firstParty>
<thirdParty noPolicyDefault="reject" noRuleDefault="reject" alwaysAllowSession="no">
</thirdParty>
</p3pCookiePolicy>
<p3pCookiePolicy zone="trustedSites">
<firstParty noPolicyDefault="forceSession" noRuleDefault="forceSession" alwaysAllowSession="yes">
</firstParty>
<thirdParty noPolicyDefault="forceSession" noRuleDefault="forceSession" alwaysAllowSession="yes">
</thirdParty>
</p3pCookiePolicy>
</MSIEPrivacySettings>
</MSIEPrivacy>
[text was edited by author 2001-09-19 16:40:02] |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| reply to eburger68
Eric:
Just some follow up on your page. I have read it many times, and I think the wording and approach is excellent.
As usual, I have some comments. First off, this sentence seems wrong:Notes & Observations
IE6's handling of popup and popunder ads is troubling. At the very least this behavior -- accepting first-party cookies from sites the user didn't select, and erroneously accepting third-party cookies from sites without a compact policy -- points up yet another problem with the default IE6 Security zone and Privacy tab settings, as these popups and popunders appeared only when these settings were modified or customized. I may be mis-reading that, but the popups can appear especially if the settings are not modified or customized, correct?
Lastly, although you display this image:
... I don't think you reveal the potential risk that this policy imposes.
My concern with this situation is that a site can have a Compact Policy on it main site (www.site.com) that is exceptionally appropriate -- and therefore ANY cookies from that domain (-.site.com) will be considered "first-party with an acceptable Compact Policy".
Even if every other site on that domain has an UNacceptable Compact Policy, the cookies might be accepted because they are still considered "first-party" to the site that was INITIALLY accepted by IE6.
This would be exceedingly difficult to prove without finding a site that specifically did this. And that leads on to one of my big future points -- do ANY sites exist out there with "unacceptable" Compact Polices?? I cannot find any.
If there is no such tangible thing as a 'Web site with an unsatisfactory Compact Policy', then the "Privacy Slider" is a complete illusion that is based on a fallacy. Eh, but that is just my opinion!:) |
|
Sentinel
Premium
join:2001-02-07
Florida
| reply to R2
Re: IE6 does not handle cookies the same
R2,
Thank you so much! It's incredibly nice of you to take time out of your day to do this. I hope others who have similar desires on securing their IE6 will be able to benefit from this too. I appreciate it a great deal. If you are ever in NY I'll buy you a beer! (or a steak if you don't drink  )
I am taking your advice and making that change to third party cookies. Sounds right and I should have thought of that. Much appreciated.
--
~AL~ |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to R2
Re: Eric:
said by R2:
Just some follow up on your page. I have read it many times, and I think the wording and approach is excellent.
As usual, I have some comments. First off, this sentence seems wrong:Notes & Observations
IE6's handling of popup and popunder ads is troubling. At the very least this behavior -- accepting first-party cookies from sites the user didn't select, and erroneously accepting third-party cookies from sites without a compact policy -- points up yet another problem with the default IE6 Security zone and Privacy tab settings, as these popups and popunders appeared only when these settings were modified or customized. I may be mis-reading that, but the popups can appear especially if the settings are not modified or customized, correct?
Yep, I goofed with that sentence. Looks like I revised that sentence several times but neglected to tidy up the last little bit to make the meaning whole and complete. I've now reworked the entire section and re-posted the page.
said by R2:
Lastly, although you display this image:
(snip)
My concern with this situation is that a site can have a Compact Policy on it main site (www.site.com) that is exceptionally appropriate -- and therefore ANY cookies from that domain (-.site.com) will be considered "first-party with an acceptable Compact Policy".
Even if every other site on that domain has an UNacceptable Compact Policy, the cookies might be accepted because they are still considered "first-party" to the site that was INITIALLY accepted by IE6.
I'm still thinking through this possibility. I guess I'd prefer to find a verified, working example of the kind of behavior you fear before discussing it in any depth on the page.
Thanks for the input.
Eric L. Howes |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to R2
Re: IE6 does not handle cookies the same
R2:
You wrote:
said by R2:
Yes, it would be nice to create several Import files for people to use.
OK, I've put together a whole mess of XML Import files. I haven't posted them yet to my web site, but I do want to let folks look at the ReadMe that accompanies the package:
»www.staff.uiuc.edu/~ehowes/xml-menu.txt
In that ReadMe you will find a complete menu of the XML Import files that I have put together so far. This set of files is not necessarily "finished" at this point. If anyone has suggestions for other combinations of settings which IE6 users might find useful, I'd be more than happy to add them to the mix. So, please, I'm all ears.
Obviously, this set of files doesn't even begin to cover the thousands(?) of possible permutations of Import file settings. It's a basic set that is governed by a few assumptions, rules, and unavoidable simplifications -- see the ReadMe for more details.
I hope to post this set of XML Import files within the next few days, but I'd like to gather reaction and input before throwing this package up on my web site.
Eric L. Howes |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs:
| Again, amazing! I was still tossing around in my head exactly how I would go about the task of creating these files -- trying to figure out exactly which variations would be most useful. But while I was still contemplating what to do, you have already gone out and accomplished this feat!!
____________________________________________________
Forgive my one quick step backwards: although I understand your reluctance in fully embracing my "First-party/Compact Policy Discrepancy Theory", I am at a loss as to why you do not think it deserves one sentence as a potential privacy problem. (I will refrain from mentioning this again.)
____________________________________________________
Now, please allow me to reveal some of my thoughts on the Import files so you can see if they are logical, and perhaps this will assist you in fine tuning your list of Import files.
After using my sample Import file for awhile, I am now minimally interested in making the distinction between sites that have a Compact Policy and those that do not. One reason is because of the fact that DSLR does NOT have a Compact Policy and therefore my Import file will not allow it to store a cookie. However, this reduced interest is really tied into the same concern I have about the Privacy Slider. I am going to deviate off topic for a moment to explain this.
____________________________________________________
On the surface there are only three viable choices on the Slider -- Medium, Med-High, and High. The other choices either give you less Privacy (ugh!) or render IE essentially unusable (Block All). These three viable choices do NOT in any real sense adjust your Privacy settings, and therefore the Slider is an illusion. How can I say this?
Well, for one thing, the major "Privacy risk" is third-party cookies. Moving the Slider from Medium to High fails to provide any tangible increase in control over third-party cookies. This is a major faux pas. The whole focus behind Privacy Control should be to control third-party cookies, yet the Slider does NOT do this.:(
Second, the actual "adjustments" that occur between Medium and High are unmeasurable in the real world. This is because the concept behind these adjustments are based on a fallacy. The problem lies in the fact that no one at Microsoft ran out the "What Happens Next" scenario...
By implementing P3P and forcing sites to create Compact Policies -- and more importantly forcing them to create "acceptable" Compact Policies -- Microsoft has eliminated the utility of the Privacy Slider. In six months, all sites will have acceptable Compact Policies. There will be NO sites without a Compact Policy, and I argue there will also be none with unacceptable Compact Policies. They will simply NOT exist. Therefore, the functional difference between the Medium setting and the High setting is NIL! The Privacy Slider is an illusion based on the fallacy that sites exist with unacceptable Compact Policies -- however, just try to find one of these sites! Good luck.
If one of the largest and most well known third-party profilers (doubleclick) can make an acceptable Compact Policy, who in their right mind is going to make an unacceptable one?
____________________________________________________
OK, enough rambling early in the AM before my coffee!:)
Back to the things you might want to think about for your Import files:•I am not sure I would even bother to separate out cookies based on "No Policy" and "Policy". Just because a site doesn't have a policy (e.g., DSLR) doesn't make it bad, and just because a site does have a policy (e.g., doubleclick) doesn't make it good. I think the "noPolicyDefault" and "NoRuleDefault" settings can be set exactly alike.•I agree with your decision to simply BLOCK all third-party cookies. There is NO reason that I can fathom that an end-user would want a cookie to have third-party privileges. THAT is the one BIG area Microsoft screwed up both on the Slider and in the default handling of the Trusted sites...•I do not agree with dividing the choices into "Session" and "No Session" -- and I believe you are mis-representing this information -- at least by my reading. First off, choosing "no" for "AlwaysAllowSession" does not mean "No Session Cookies will be allowed". Instead, it simply means that "Session Cookies will be held to the same standards and rules as Persistent Cookies".
Therefore, if the NoPolicyDefault is "reject" and the site has no Compact Policy, the Session Cookie will be rejected. Whereas if the NoRuleDefault is "accept" and the site does have a CP, it will be accepted. You will note there is an obvious ambiguity -- how is a Session Cookie "forced" Session? However, I suspect a Session Cookie could be forced into being placed and replayed ONLY in first-party context.
From my viewpoint, I see no reason to NOT hold third-party Session Cookies to the same guidelines that I have chosen for Persistent Cookies. Unless someone can present a viable argument to the contrary, I believe the third-party AlwaysAllowSession attribute should be locked on "no". You will still get Session Cookies based on the same rules that apply to Persistent Cookies.•Now, first-party Session Cookies are a slightly different bird. These are frequently necessary on sites to create shopping lists and to hold 'logon' information. Many sites require these for a user to simply access the site. Since they are NOT stored on your computer, very little significant user-profiling can be done. Therefore, they would be considered a low Privacy risk.
For the sake of making the Internet more 'user-friendly', one could argue that Session Cookies should always be allowed in first-party context. This would be especially true in the Trusted sites Zone. There may be a few people who would limit first-party Session Cookies in the Internet Zone, but I suspect they would be the minority. If you did this, you would force users to have to enter a given site into their Trusted sites just to use it. This would create an unnecessary security risk.
Therefore, for this reasoning, I think the first-party AlwayAllowSession attribute should be set at "yes". Since it could avoid forcing users to enter sites in their Trusted sites Zone just to use them, I believe this is actually an option that increases Privacy and Security. By examining these suggestions, you can see that you can eliminate quite a few choices in your list of Import files - yet still maintain a great deal of important flexibility.
All just points to consider and discuss. Cheers and Good Day.
[text was edited by author 2001-09-20 09:08:34] |
|
eburger68
Premium,MVM
join:2001-04-28
| R2:
As time is pressing, I'm going to limit my response for now to issues immediately surrounding the XML Import files (I hope to address your other points later this evening)...
said by R2:
After using my sample Import file for awhile, I am now minimally interested in making the distinction between sites that have a Compact Policy and those that do not. One reason is because of the fact that DSLR does NOT have a Compact Policy and therefore my Import file will not allow it to store a cookie. However, this reduced interest is really tied into the same concern I have about the Privacy Slider. I am going to deviate off topic for a moment to explain this.
I share your skepticism of Compact Policies. When putting together that set of Import files, I tried to suspend my penchant to limit them to options that I would consider using myself. In many cases, there are Import files that I would never consider using myself, but I recognize that I can't understand, appreciate, or anticipate every need or preference that IE6 users might have. For all I know, someone out there might want to make such distinctions. And while I might think they ought to be disabused of this misplaced faith in P3P Compact Policies, I'm reluctant to completely dismiss their preferences.
said by R2:
•I am not sure I would even bother to separate out cookies based on "No Policy" and "Policy". Just because a site doesn't have a policy (e.g., DSLR) doesn't make it bad, and just because a site does have a policy (e.g., doubleclick) doesn't make it good. I think the "noPolicyDefault" and "NoRuleDefault" settings can be set exactly alike.
See my response above.
said by R2:
•I agree with your decision to simply BLOCK all third-party cookies. There is NO reason that I can fathom that an end-user would want a cookie to have third-party privileges. THAT is the one BIG area Microsoft screwed up both on the Slider and in the default handling of the Trusted sites...
Yeah, I simply can't see the need to allow 3rd party cookies in any context under any circumstances. Anyone who's interested in 3rd-party cookies might as well throw in the towel and choose "accepts" all the way across and forget being bothered about cookies at all. In addition, if I were to start offering third-party cookie options, that set of Import files would balloon in to the hundreds, if not thousands. Simply not practical.
said by R2:
•I do not agree with dividing the choices into "Session" and "No Session" -- and I believe you are mis-representing this information -- at least by my reading. First off, choosing "no" for "AlwaysAllowSession" does not mean "No Session Cookies will be allowed". Instead, it simply means that "Session Cookies will be held to the same standards and rules as Persistent Cookies". (snip)
OK, your explanation here makes sense and I will revise the ReadMe to reflect this definition of "Always Allow Session Cookies." As far as WHICH session cookies to allow...
said by R2:
• (snip)
I think the first-party AlwayAllowSession attribute should be set at "yes". Since it could avoid forcing users to enter sites in their Trusted sites Zone just to use them, I believe this is actually an option that increases Privacy and Security.By examining these suggestions, you can see that you can eliminate quite a few choices in your list of Import files - yet still maintain a great deal of important flexibility.
...I tend to agree with you here. I will revise the two different sets so that the only thing which distinguishes them is whether to allow 1st-party session cookies for both the Internet and Trusted zones. I do this for simplicty's sake. If folks want to distinguish between Internet and Trusted zone session cookies, they can custom edit one of the XML files.
The struggle here is to offer as many options as practically possible without dumping a couple hundred XML Import files into zip file and then expecting the user to dig out of the resulting avalanche of choices.
I probably won't be able to post anything new until late tonight, so please don't think I've gone AWOL.
Thanks so much for the detailed criticism and recommendations.
Eric L. Howes |
|
eburger68
Premium,MVM
join:2001-04-28
| I managed to update and revise both the XML files as well as the ReadMe. Here's a summary of the main changes:
The "Allow Session Cookies" file set now permits session cookies only in first-party contexts (I did not distinguish between the Internet and Trusted zone).
I revised the ReadMe to note that session cookies will still be governed by the same P3P Compact Policy standards which govern persistent cookies.
I added one new pair of files (3u and 3u-s). See the table for the options included in them.
It will still be a day or so before I post the XML files as a package, as I want to continue to gather ideas and suggestions (so keep 'em coming).
Best,
Eric L. Howes |
|
