Can we do without cookies?

March 16, 2023

Yet another stupid idea: the server generates a link to the gateway page with an unique identifier in its URL. On the client side this identifier is saved in window.sessionState and used in subsequent API calls.

I name this page gateway because it should redirect to a regular page to avoid leaking the identifier via Referer header when accessing third-party resources.

The user has to bookmark the gateway page or save its URL by any other means. That's the explicit consent in terms of cookie law.

The approach is less secure than cookies, because the identifier can be read from Javascript. Therefore, it's better not to use third-party scripts on the site.

Another drawback is re-generation of the identifier. The user has to manage their bookmarks manually.

As for other aspects, this approach is no less secure than cookie-based one. If the user's machine left unlocked, anyone can steal both bookmarks and cookies. Along with saved passwords.

Unlike cookies, it's possible to have multiple sessions within the same browser. But you can't open links in new tab. They won't belong to the same session.

This approach is prototyped on the feedback page.