Was youtube-nocookie.com always serving cookies or did it start recently? Is it a scam?

I’ve been using Youtube embeds in enhanced privacy mode by

chang[ing] the domain for the embed URL in your HTML from https://www.youtube.com to https://www.youtube-nocookie.com

I remember checking via DevTools (Application/Storage tab) that no cookie was actually set.

A customer just notified me that they did find cookies set by the domain .youtube-nocookie.com — weirdly, something about "consent pending", which does not change when I click play, as other sources state.
They have also alerted me to some shenanigans in Local Storage, namely an item with the key yt-remote-device-id, which has a UUID and an expiration date 10 years in the future.

I have always suspected that Enhanced Privacy Mode is somewhat of a exaggeration, but this seems to defeat the purpose almost entirely. And it makes youtube-nocookie practically useless w.r.t. a less painful GDPR-compliant user experience.

Is this a recent change? Is there any documentation or changelog on that?

Store cookies for multiple sites on remote server and connect from multiple clients

Would it be secure to:

  1. Store all my website cookies (stack sites, webhost, github, web-based email, etc) on a remote server (using an customized open-source VPN or something)
  2. Login to the server with password + 2fa (and maybe have a trusted devices list?)
  3. Keep the cookies only on the server… never actually download them to any of my devices
  4. When visiting stackexchange.com, for example, my server would send the cookies to stack exchange, get the response, and send it back to me, but REMOVE any cookies & store them only on my server

Benefits (I think):

  1. I could keep diverse and very strong passwords for every website, but don’t store the passwords anywhere digitally (keep them on paper in a safe at home or something)
  2. logging in to all the sites I use on a new device only requires one sign in (to my custom VPN server)
  3. Only cookies would be stored digitally, so if anything went wrong server-side, my passwords would be safe & I could disable all the logins through each site’s web-interface

Problems (I think):

  1. If the authentication to my custom VPN is cracked, then every website I’ve logged into would be accessible
  2. The time & energy & learning required to set something like this up.

Improvement idea:

  1. When I sign in to the server the first time, the server creates an encryption key, encrypts all the cookies with it, and sends the encryption key to me as a cookie. Then on every request, my browser uploads the key, the website’s cookie is decrypted, then the request is made to whatever website I’m visiting. Then only one client could be logged in at a time (unless the encryption cookie were stolen)
  2. Encrypt each cookie with a simple password, short password or pin number
  3. An encryption key that updates daily (somehow)
  4. Keep a remote list of trusted devices, identified by IP address? Or maybe by cookie?

Why not just sign into the browser and sync cookies across devices?

  • Signing into Firefox mobile & Firefox on my computer doesn’t give the cookies to Twitter’s or Facebook’s web-browsers (that frustratingly always open first instead of taking me to my actual browser!)
  • It’s not as cool?
  • That would require me to trust a third-party (of course, I’ll ultimately have to trust my web-host to some extent)

Is it poor practice to host multiple web applications on the same domain, in terms of cookies?

In my web application, I have a single API backend and two frontends written as single page applications. To simplify deployment, I’d like to serve the API on /api, the admin dashboard on /admin, and the end user frontend on /user (or something similar), all on the same domain.

I want to use cookies for handling sessions, for both the end-user and admin apps. Is this a good idea? As I understand it, cookie usage is restricted by their domain. Would it make it simpler for an attacker to steal admin-session cookies from someone logged into both frontends? Or, should I use different domains for the admin and user frontends (admin.mydomain.com and user.mydomain.com)?

Simplest secure way to create session cookies

Background: I’ve been using a simple session cookie design for my web app. I have a users table, and a sessions table that basically looks like this:

 id  | user_id | visited_at -----+---------+-----------  int | int     | timestamp 

And a session cookie contains just a session ID, signed with a secret key. I give the cookie an expiration date (but the source of truth is still the timestamp in the DB), and make sure it’s secure and HTTP-only.

Then I came across these threads:

  • https://news.ycombinator.com/item?id=16157002#16159301
  • https://news.ycombinator.com/item?id=16006394

I think tptacek is basically saying that, instead of storing the signed session ID in the cookie, I can make the sessions table like this:

 id      | user_id | visited_at ---------+---------+-----------  varchar | int     | timestamp 

…where id is a randomly generated 16+ byte key encoded as a string, and simply store this string in the session cookie w/o any encryption/signing.

Is this approach secure? Does it have any downsides due to the lack of a signing phase? (I was thinking w/o signing we can’t invalidate all sessions by changing the server secret, but then I think we can just delete all the session from the DB since we are not doing stateless authentication anyway.)

UPDATE: I think maybe one benefit of the signing approach is that I can save some space in my DB by using an integer primary key. But I’m more interested in the security aspect.

How can I recognise which cookies are genuine?

I have installed two browser extensions: Privacy Badger and ScriptSave in order to block unwanted cookies. I knew websites would load cookies but I was still surprised by the number. Unfortunately, the web content is usually not displayed and I am eventually forced to allow all cookies to be loaded at least for a session. I can see there are different groups of them: analytics, cdn, tag managers, but some of them have randonly generated names.

I would guess following cookies are not dangerous:

cdn.cookielow.org cdn.sstatic.net cdnjs.cloudflare.com googletagservices.com google-analytics.com adjax.googleapis.com assets.hearstapps.com (?) 

But sometimes cookies with random names are loaded:

dstik9906m659.cloudfront.net d176jfkp3gfyt8.cloudfront.net d1bg94bbsh66ji.cloudfront.net 

I read anything with cloudfront.net is from amazon. I couldn’t find anything on the cookies above but I still don’t understand the reason for random characters in names?

I am looking for advice on how to be able to recognise genuine cookies and filter out those potentially dangerous. Is it easily possible? Thanks.

Same session cookies for a user logging from different browser/machine

So i new to web application security and have a doubt regarding session cookies. Which is more vulnerable:

  1. Having same session cookies for a user logging in from different machine/browser


  1. Having different session cookies for a use logging in from different machine/browser

if possible can you provide a quick scenario how each can be exploited

Thank you