Appendix C - Cookies: Summary Guidance for Implementers

[ Table of Contents ]

The purpose of this Appendix is to indicate the basis used in determining the treatment of cookies by this Standard.

A service user's browsers can be asked to record 'state' information for later return to a web server. The state information is known as a 'cookie'. Cookies may be persistent, and written to a local file system, or transient (also known as a session cookie) and not maintained beyond termination of the browser session.

Use of cookies with their lack of content standards, cross-domain limitations and well-publicised security concerns has been severely restricted by the New Zealand Government Web Standards and Recommendations v1.0 [NZGWSR] published in March 2007, and that document's predecessor, the NZ Government Web Guidelines v2.1. The relevant standards and recommendations in [NZGWSR] are contained in the Part titled 'NZ government agency web site Standards', section 19 'Data Tracking'. Relevant extracts are below:

• from Standard 19.3 'Client side personally identifiable data storage': 'Note: As per recommendation 19.1.2, if it is necessary to maintain "state", server-side session management should be used in preference to client-side session management.'
• from Standard 19.1 'Data tracking able to be disabled': 'A web site must provide the option for a user to disable the collection of tracking data at any time during their visit. Note that this excludes:
  • When the tracking data is used solely for maintaining session state of the web site'
• from Standard 19.2 'Rules governing storage of tracking data': 'Because of the requirement to be able to disable the continued recording of tracking data, a site should not have its functionality dependent on this data.'

In the context of security assertion messaging and in particular the development of NZ SAMS, the Secure Messaging Working Group has interpreted [NZGWSR] to allow (transient) cookies that do not contain session state, but merely contain a reference to session state that is stored and maintained on the agency server. This is the approach used by J2EE. Given this interpretation, a cookie that contains authentication credentials is also permitted – since the session 'state' information is kept, if at all, on a web server.

Persistent cookies have well-publicised security concerns relating to the potential for sensitive or personal information to be recovered inappropriately or without the knowledge of the service user. In addition to their well-publicised security concerns, persistent cookies are not necessary and, consequently, they should not be used.

All cookies have well-publicised concerns regarding the sharing of information between different websites/domains. The exchange and sharing of information between different websites using cookies is inappropriate for at least the following reasons:

• there is little, if any, standardisation of information stored in cookies, so their use for data exchange between sites is likely to impede interoperability
• the sharing of information between sites is a threat to the privacy of the service user
• interactions between a browser and different sites may be subject to different levels of encryption – including no encryption – and the cookies may pass sensitive information in the clear.

For these reasons, the use of cookies in security assertion messaging should be limited to the carrying of a simple opaque identifier of 'state' information stored on a web server. The state identifier should be limited to only the web servers that share a single security context in order to provide a stable environment for tightly integrated applications, load balancing and session failover. The most useful 'state' information to maintain is session state, so the cookie should identify a service user's current web browser session, from which can be derived longer-term state (e.g. account balances, name, etc). Since cookies should be used only to identify current session state, it is reasonable to expect the termination of a browser to also terminate a current session.

For jurisdictional guidance on the use of cookies see:

• [NZGWSR] section 19 at http://www.e.govt.nz/standards/web-guidelines/web-standards-v1.0/agency-web-recommendations/data-tracking.html
• http://www.whitehouse.gov/omb/memoranda/m03-22.html (Memo entitled OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. Within the page, look in: Attachment A. III. Privacy Policies on Agency Websites. D. Content of Privacy Policies Paragraph 2. a. v.).

[ Previous | Contents | Next ]