Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Interoperability (e-GIF) » Authentication Standards » New Zealand Security Assertion Messaging Standard » Appendix C - Cookies: Summary Guidance for Implementers

Appendix C - Cookies: Summary Guidance for Implementers

The purpose of this Appendix is to indicate the rationale used in determining the treatment of cookies by this Standard. At the time of writing the New Zealand Government Web Guidelines v2.1 (which dictate the limitations on the use of cookies) are being reviewed. The rationale outlined below has been used by the Secure Messaging working group as an interim measure. The treatment of cookies in this Standard will be reviewed once the New Zealand Government Web Guidelines v2.1 has been revised .

This subsection is informative and may be omitted from the next release of NZ SAMS.

A service user's browsers can be asked to record "state" information for later return to a web server. The state information is known as a "cookie". Cookies may be persistent, and written to a local file system, or transient (also known as a session cookie) and not maintained beyond termination of the browser session.

Use of cookies with their lack of content standards, cross-domain limitations and well-publicised security concerns has been severely restricted by the New Zealand Government Web Guidelines v2.1. Section 7.5.1 of the New Zealand Government Web Guidelines v2 states that "[c] ookies must not be used to track personal use of a website nor must functions of the site rely on the use of cookies. Where it is necessary to maintain "state", server-side session management should be used in preference to cookies."

In the context of security assertion messaging and in particular the development of NZ SAMS, the Secure Messaging working group has interpreted the guidance to mean that cookies do not contain session state, but merely contain a reference to session state that is stored and maintained on the agency server. The working group's rationale is that cookies can be used to temporarily store a reference to session state, but not the state information itself which must stay on the agency site. This is the approach used by J2EE. iven this rationale, a cookie that contains authentication credentials is also permitted - since the session "state" information is kept, if at all, on a web server.

Persistent cookies have well-publicised security concerns relating to the potential for sensitive or personal information to be recovered inappropriately or without the knowledge of the service user. In addition to their well-publicised security concerns, persistent cookies are not necessary and, consequently, they should not be used.

All cookies have well-publicised concerns regarding the sharing of information between different websites/domains. The exchange and sharing of information between different websites using cookies is inappropriate for at least the following reasons:

  • there is little, if any, standardisation of information stored in cookies, so their use for data exchange between sites is likely to impede interoperability
  • the sharing of information between sites is a threat to the privacy of the service user
  • interactions between a browser and different sites may be subject to different levels of encryption - including no encryption - and the cookies may pass sensitive information in the clear.

For these reasons, the use of cookies in security assertion messaging should be limited to the carrying of a simple opaque identifier of "state" information stored on a web server. The state identifier should be limited to only the web servers that share a single security context in order to provide a stable environment for tightly integrated applications, load balancing and session failover. The most useful "state" information to maintain is session state, so the cookie should identify a service user's current web browser session, from which can be derived longer-term state (e.g. account balances, name, etc). Since cookies should only be used to identify current session state, it is reasonable to expect the termination of a browser to also terminate a current session.

For jurisdictional guidance on the use of cookies see:

  • www.e.govt.nz/standards/web-guidelines/web-guidelines-v-2-1/ (under revision)
  • http://www.whitehouse.gov/omb/memoranda/m03-22.html (memo entitled "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002" Within the page, look in: Attachment A. III. Privacy Policies on Agency Websites. D. Content of Privacy Policies Paragraph 2. a. v.
[ Previous ]