Cookie remodeling

  • Remove unused analytics cookie
  • Move session ID from localstorage to cookie
  • Fix color of dropdown links in navbar

Here’s some more details about the cookie changes…

Shmeppalytics ID

Shmeppy used to create a “shmeppalytics ID” cookie for each user. This is the way I determine whether a request is made from the same computer as another request. Ex: if you visit the home page you will request the index.htm file as well as the screencast.mp4 file, and the only way I can tell that the same computer requested both is via this cookie.

The original purpose of this was to allow my analytics scripts to work so I could tell how many people were using Shmeppy. I don’t use those scripts anymore so the ID’s only use recently has been to help with debugging (if someone reports that they’re seeing errors, I’m able to see all errors that Shmeppy is sending their computer thanks to the ID).

Storing non-essential information in a cookie like this is also questionably legal now, which is why so many sites have cookie banners asking you to accept their cookies. Well I’m going a different approach: I’m just removing the cookie entirely.

Session Cookies

This part gets especially technical… apologies.

Shmeppy’s been storing a token called a “session ID” in local storage since I first created the account system. I’ve regretted this decision for awhile. The main reason I’ve regretted it is that local storage is always accessible by JavaScript (unlike cookies marked HttpOnly) so a quick and easy defense against a common cross-site-scripting attack has always been unavailable to me.

I’ve decided to move the session ID into a cookie finally. This will also allow me to preserve the benefit to debugging the the Shmeppalytics ID gave me for logged in users, without resorting to logging some kind of fingerprint for each connection (like IP address and User Agent).