-4

... or technology stack for compliant web applications.

GDPR among other includes cookies usage defining four cookie types: strictly necessary cookies , preferences cookies, statistics cookies, marketing cookies.

I am researching for a solution to develop a stateful web application without using cookies to avoid getting under the GDPR incidence. The application has to be deployable on clusters of web servers to accommodate heavy loads without using session cookies nor sticky session cookies. So far the simplest solution is a web application using JSON web tokens (JWT) sent via the Authorisation Bearer HTTP Header and an in-memory data grid (Infinispan, Hazelcast, Redis, Memcached or alike) storing JWT and user session pairs so the user session is accessible from any node of the cluster running the web application.

While sending the JWT from the server to the browser is straight forward I'm unable yet to figure a technical solution to send the received JWT to the server for any browser request (form submits, anchors, xhr). While I know HTML meta tag is a way to simulate HTTP response headers I wonder whether it could be used to send HTTP headers or whether there is any other HTML tag that when included in an HTML page source would result in sending an HTTP header for browser's request to the server or whether there are any other options.

Improve this question
8
  • if you want a cookie that isnt a "cookie", it wont get around GDPR. If the data isnt stored, then you can just send it via javascript
    – Ewan
    Commented Jul 10, 2023 at 13:27
  • I'm interested in a technology stack for web applications that could track user trough consequent request without using cookies and without storing information about the user other than the information requested while registering to the application. Sending information via javascript is one way to make requests to the server, there are additional ways (form submits or anchors) that doesn't involve javascript.
    – user432211
    Commented Jul 10, 2023 at 14:17
  • 4
    @user432211 GDPR protects the user's data, not the cookies. The technology or technique you use to track a user is irrelevant, what matters is simply the fact that you are even tracking them at all, and the reason why you are tracking them.
    – Ben Cottrell
    Commented Jul 10, 2023 at 16:13
  • GDPR is concerned with tracking users. Tracking user session with cookies gets under GDPR incidence for the sole reason of using a technology that stores information on the user devices. With an implementation that tracks user session by an HTTP header - different that Cookie header that stores information on users' devices - web applications without preferences, statistics and marketing would be a "GDPRless" landscape.
    – user432211
    Commented Jul 10, 2023 at 19:30
  • 3
    @user432211, storing data server-side has the same legal concerns. It is the storing of data that triggers the GDPR, not where and how you store it.
    – Bart van Ingen Schenau
    Commented Jul 11, 2023 at 6:53

1 Answer 1

Reset to default
1

Just use cookies. The reason the distinction is made between the different "types" of cookies is so that the user can opt out of non essential cookies.

If you are only using "strictly-necessary" cookies, such as authentication or website state, then you don't need consent from the user to be GDPR compliant, you just need to make the user aware of how the cookies are being used.

Some useful info to read up on: here

If you don't want to use cookies, you are still out of luck when it comes to GDPR. Like the comments to your original post state, GDPR doesn't care if you store session information in cookies or some other technology, if you store any information related to the customer to track them (Session, state, marketing etc...) it all still falls under GDPR.

Trying to avoid the use of cookies does nothing for your GDPR compliance and just causes you to reinvent the wheel, where its not needed.

Improve this answer
7
  • It would be possible to implement web applications that require authentication and track user session with JWT passed through Authorisation HTTP header for different for each request without interfering with the law. All is needed is a technology stack relying on anything different than storing information on users' devices and storing / processing data other than personal data.
    – user432211
    Commented Jul 11, 2023 at 11:47
  • Regardless if you store it in an HTTP header or in a cookie, you are storing information that tracks the user, the JWT could sit anywhere as long as it points to a specific user it falls under GDPR. You not wanting to store the authentication information in a cookie doesn't magically solve your GDPR woes, you just end up giving yourself more work to do while still not achieving your goal.
    – gsck
    Commented Jul 11, 2023 at 11:52
  • The tokens are different than personal data and they are ephemeral between requests.
    – user432211
    Commented Jul 11, 2023 at 11:54
  • Just because they are ephemeral, its a pointer to a specific user. You can cycle the authentication cookie on every request. Most authentication cookies don't store specific information about the user, just a reference to them. The fact its a JWT doesn't make a difference, you could store the user's full name, or a random string of characters, as long as it is a reference to a user it falls under GDPR.
    – gsck
    Commented Jul 11, 2023 at 11:56
  • GDPR doesn't specifically mention cookies, it talks about online identifiers, a cookie is just the most common method of storing them as its the easiest and purpose built for exactly what you are trying to do. Article 4 (1) and Recital 30 are the 2 pieces of text that are most pertinent to what you are trying to achieve.
    – gsck
    Commented Jul 11, 2023 at 12:04