Theoretically, could a website remove all cookies it uses?
Usually when a website does not work the website developer says to delete all cookies for all websites. I think they should know what cookies they use and tell us the specific cookies to remove. And along that line, they could provide a way for their website to remove just the cookies that they use, right?
For me, I go to the Application tab of the Developer Tools of the browser and remove the storage, including cookies, there. I think that has never helped and I do not know if it would be the functional equivalent of removing all relevant (the ones that are causing the problem) cookies for the site.
If I knew that removing all cookies would solve a problem then I am willing to do it but usually website people suggest it just because it is easy for them to suggest.
In the current situation, I get signon issues with the PG & E website. I called the customer support and the developer responded by saying to either remove all cookies or use a different browser. Using a different browser works but I do not want to use a different browser as a workaround for their bug and I do not want to remove all cookies unless there is a good reason to remove all of them, including all of them for irrelevant sites. There are very many other websites over many years that are like that.
The old Microsoft MSDN forums were like that; the Microsoft developers often said to remove all cookies and back then I was able to solve the problem by removing specific cookies. Microsoft was just too lazy to be specific about what cookies to remove.
Theoretically, a website could expunge cookies they created from your browser when you visit their site.
They could not, however, expunge third-party cookies that were created by things that were loaded when you visited their site, like Google cookies, etc.
It’s beyond the security veil for them to do so, unless said third-party also provides a mechanism for expunging.
Are you going to put a feature into your cookie-powered plugin that lets a third party (the website) tell you to expunge your cookies on behalf of the first-party contact between you and the user?
And how have you asserted that the third party has the user’s blessing to tell you that? (this is the problem - you need a three-way communication on a two-way channel)
Second party: the website we are visiting; the URL should be in the browser’s address bar
Third party: anyplace in the internet the second party uses
There would be or could be some trust between the second party and any third parties it uses. The second party could make the request when there is a problem and only then; it could be limited to specific situations where there is an error. I do not see a problem with that.
That is the type of inconvenience I am suggesting is unnecessary. Ideally the fix could be done by the website (the second party) automatically and in an appropriate manner. I agree it might be a mistake for the user (the first party) to initiate it.
Definitely. They should know that. They are using the third parties, they know who they are.
The absence of the feature would break nothing except for adding the specified convenience. If they do implement the feature then sure they can also remove it but that can be true of most everything. If that is the best argument against implementing the feature then the answer to my question is that it is definitely possible.
There is one directional trust; Google doesnt trust your site when you put an analytics tracker on it; you dont ask Google to enter an agreement with you.
You’re making a LOT of “good faith” assumptions here that simply cannot be assumed to be true. You are putting into the second party’s hands control of determining the cookie exchange between the first and third party, with no form of check or balance in the hands of the first party.
I assume the answer to the question of could it be done is yes.
I assume the answer to the question of whether it should be done depends on whether other people think it should be.
The answer to the question of would it be done depends on whether people think it should be. Saying it would not be done by assuming people do not want it is a big assumption. My assumption is that it would be done if enough people ask for it but most people do not realize they can ask for it.
Fair enough, but you’re a step ahead of me, cause my answer to “Should” is no, there are too many security concerns involved in letting an external party (the website) determine that the relationship between two parties (the user and the source of the cookie) should change or terminate.
So you would say that browsers should let Javascript access your clipboard, because “that must be determined by them”. Or that you should be able to cross origin scripts to load other sites’ content.
At some point, there is a security threshold that cant be crossed, because bad actors WILL cross it if given the opportunity.
You cant write the internet on the premise that everyone is going to make choices for the benefit of the end user above themselves.
If that is done when the third-part cookies are created and modified then yes it seems very reasonable to do that to remove them. If not then the issue is not relevant.
Fortunately not all developers believe that. Many developers work hard to make the end-user experience convenient for the end-user.
I concur and agree. But; when it comes to developing with security in mind, you code for the lowest common denominator to prevent problems from the bad apples, even if the good ones would never trigger them.
Why do we have parameterized queries and never trust user input in PHP? Because SQL injection is a thing. Do hard working people with good intentions inject SQL that will expose your database? No. But do you code to their standard, or the one that protects you from those that do.
Good luck finding a website of any decent size and use that doesnt have an advertiser (hey look, third party data) or use tools to track analytics about their visitors (hi Google).
Yes. And that is fundamental to my point. Website support people often say to remove all cookies for all sites. I am suggesting that they be specific about what cookies to delete and it would be better if the website were to remove the specific cookies it uses, including requesting removal by third parties.
Sure. I am just saying it would be better to leave all the many other cookies for other sites alone.
After creating this thread I installed Chrome, Firefox and Opera. The PG & E website worked in them. Then I tried Edge again and it worked. I think that proves that the request from PG & E to remove all cookies would not have solved the problem. I think that websites are quick to suggest that we remove all cookies because it is easy for them to make the request but they are only guessing.