undefined | Better HN

0 pointsjefftk2y ago0 comments

They might be tracking whether I'm logged in, but since I didn't log into the site I didn't consent for them to store that state on my client. The e-Privacy directive is quite particular, and unless these cookies are "strictly necessary" to operate the sandbox they're not allowed.

0 comments

mark_story2y ago

I believe that knowing whether or not you are logged would be part of the strictly necessary.

shaky-carrousel2y ago

You don't need to set a cookie to know that I'm not logged in. The lack of cookies means I'm not logged in.

jefftkOP2y ago

The way most sites do this is that absence of a cookie indicates not logged in; any reason this wouldn't work here?

mark_story2y ago

That's fair, not having a cookie could work for session, how would you handle CSRF protection on a login form without cookies?

2 more replies

giancarlostoro2y ago

It might also just be done by whatever underlying web framework they use without them realizing. Like maybe a call to a method that checks if you are authenticated creates those cookies deep in some library they have less control / ownership of. Just taking a guess.

1 more reply

j / k navigate · click thread line to collapse

0 pointsjefftk2y ago0 comments

0 comments

mark_story2y ago

I believe that knowing whether or not you are logged would be part of the strictly necessary.

shaky-carrousel2y ago

You don't need to set a cookie to know that I'm not logged in. The lack of cookies means I'm not logged in.

jefftkOP2y ago

The way most sites do this is that absence of a cookie indicates not logged in; any reason this wouldn't work here?

mark_story2y ago

That's fair, not having a cookie could work for session, how would you handle CSRF protection on a login form without cookies?

2 more replies

giancarlostoro2y ago

1 more reply

j / k navigate · click thread line to collapse