We’ve known for a long time that cookies are are deeply antithetical to the design of HTTP and the Web (#1). We’ve known they are used to track users and violate privacy (#2). However, I recently had called out to me yet another reason why cookies, specifically user authentication cookies, are bad for you.
Amazon has recently launched a Plog service. Plog stands for “personalized weblog”. Your plog is a combination of blogs from authors you like, shipment tracking, new items they think you might like, changes to your friends’ wishlists, and other personalized information. It’s a cool and useful feature. However to use it, you have to log into Amazon’s web site and read your Plog there.
The login requirement is quite reasonable. After all, the Plog includes a lot of personalized information. You probably don’t want your coworkers to see that you really enjoy the vocal stylings of Ashlee Simpson. However, Amazon does logins with cookies and URL rewriting instead of with HTTP authentication, and that’s where the problem arises.
This works as long as browsing is the metaphor. However it falls apart as soon as we move to non-browser tools such as feed readers. Standard HTTP authentication does work in most major feed readers. However cookie based authentication doesn’t. Even if the feed reader knows how to handle cookies, there’s no way for it to login to the website in the first place to get the necessary cookie. It can ask the user for the username and password, but it can’t figure out where (i.e. on which other page) to submit this to the server.
The only user authentication that works for feed readers and any other non-browser, automated client is HTTP authentication. HTTP authentication is completely standard. The challenge comes from the page being authenticated, not from some other page somewhere else on the web site. The feed readers know exactly how to recognize and respond to a request for credentials because every site does it exactly the same way. (OK, that’s not quite true. There are actually three or four different ways; but they’re all related, all standardized, and all easily recognized and handled by the HTTP libraries the feed readers use.)
Right now feed readers are a distinct minority of the audience, but that’s shifting. I only noticed this because I’m already receiving request for feeds from my Amazon blog within a few days of launching it. As feed readers grow in popularity and new uses continue to be found for them, more and more sites are going to need to provide not just feeds but password protected feeds; and the only way to do this reliably is by using HTTP authentication as it was designed: sessionless and no cookies.