Further to the recent guidance and announcement of enforcement plans, the first demonstration of what this might entail for web sites which undertake user-tracking or store user data, has been revealed.
On 26 May 2011, the rules about cookies on websites changed... I accept cookies from this site.
The UK Information Commissioner's Office (ICO) utilises up to six cookies on the ICO web site (four relating to Google Analytics). Alexis Fitzgerald discusses the implementation in his Web Application Security - From The Start blog. There is no cookie to say you have opted out of accepting cookies — which is good — but for now the site does leave that rather annoying message at the top of every page which persists in the print version too. Giving consent also sets a cookie "ICOCookiesAccepted".
I see the ICO has stated the session identifier "ASP.NET_SessionId" is an "essential site cookie". It is set by default as soon as you visit the site, and thus presumably is exempt from the regulations for consent due to being "strictly necessary for the provision of an information society service". Take note.
Well, many web sites manage not to use session identifiers except in a subset of the site, such as for authentication and authorisation checks in areas limited to certain users. I wonder whether there really is any functionality on the ICO web site which really requires this session cookie to work?
Putting that aside, the cookie is "session-only" and should be destroyed when the browser is closed. But some web browsers are not routinely closed, and this would leave evidence that the site had been visited. In the case of the ICO web site, it would almost always be an insignificant matter, but there could be situations when even accessing the this might be deemed unacceptable or suspicious, leading to some sort of potential harm to an individual. Other web sites are likely to copy the ICO approach, so it is interesting the ICO has not removed the need for a session identifier cookie for general site browsing.
My baseline tips for cookies used for session management would be:
- Have only one session management cookie if possible
- Ensure session management cookie(s) expire automatically
- Destroy sessions server-side once they have expired, or when their use is no longer required, and after a fixed time period
- Do not store any personal data or business data in the cookie value — just store a long highly-random, difficult to predict identifier which has some meaning server-side
- Restrict session cookie scope to the site's particular domain and URL path
- Set the HTTPOnly, and if SSL is used SSLOnly, cookie attribute
- And preferably, limit where session identifiers are required (i.e. not the whole site)
These are just a starting point. If the session management cookie is part of authentication processes, there are further recommendations for implementation.
No doubt, additional advice on the new cookie regulations and standard practices will be forthcoming in due course. Of course, the ICO could have removed client-side web analytics completely, reducing the number of cookies to one (and this may not really be required either).