Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Couldn't a smart person have figured out exactly how that cookie model could be abused like, within days of it existing?

They almost certainly did, and considered it acceptable at the time.



The first cookie RFC, rfc2109 (1997), was even more conservative:

An origin server could create a Set-Cookie header to track the path of a user through the server. Users may object to this behavior as an intrusive accumulation of information, even if their identity is not evident. (Identity might become evident if a user subsequently fills out a form that contains identifying information.) This state management specification therefore requires that a user agent give the user control over such a possible intrusion... --https://datatracker.ietf.org/doc/html/rfc2109#section-7.1


Early versions of Internet Explorer used to follow this and prompt about cookie storage all the time, to everybody’s great annoyance. Eventually it defaulted to always allow.

Now with GDPR prompts we’ve come full circle, but instead get the UI of the web site instead of the user agent, allowing all kinds of dark patterns to be exploited and requiring re-prompts all the time for those of us who don’t allow the page to keep cookies in the agent.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: