CookiePusher

Overview of CookiePusher

In order to allow delivery of context-sensitive services via an SFX framework, information providers must provide the following:
  • The implementation of a technique to make the resource differentiate between a user with access to a service component that can deliver context-sensitive services and a user without access to a service component that can deliver context-sensitive services.
  • An OpenURL for each metadata-object for users with access to a service component. For information on the OpenURL syntax, see Transporting Metadata: OpenURL Syntax Description.

Recognizing a User Who Wants SFX Services

In this section, the CookiePusher is described as one of many mechanisms through which a problem can be addressed. Inclusion of the SFX server location in a registered user profile can, for instance, be another way to deal with the problem. Yet another mechanism is to keep a table that links IP addresses to URLs of service components. Information providers who want to allow for context-sensitive services for their information resources can decide which mechanism best addresses a problem in their environment.

Introducing the CookiePusher

The CookiePusher offers a pragmatic solution whereby an information resource can be dynamically notified about the existence and the location of an SFX server. From the information contained in the OpenURL, SFX can deliver context-sensitive services to the end user. Input relating to the existence and location of the user’s SFX server is essential for the information resource. It enables the resource:
  • to include the OpenURL if the user has access to an SFX server, and to point the OpenURL to the appropriate URL-the BASE-URL- of the SFX server
  • to not include an OpenURL if the user does not have access to an SFX server or another OpenURL-compliant service component
The idea behind the solution is that a user does not directly connect to an information resource. Rather, a detour is taken via a script that is installed in the same domain as the information resource. This script, the CookiePusher, takes as input certain parameters, two of which are essential for the functioning of the solution:
For example:
http://www.iop.org/EJ/sfx_cookie?BASE-URL=http://sfxserver.university.edu/sfx_local&Redirect=http://www.iop.org/EJ/
To use the CookiePusher mechanism, a simple adaptation at the side of the information resource is required, as well as at the side of the institution that runs the SFX server accessing the information resource.

SFX Sources Using the CookiePusher Script

The CookiePusher script is installed in the domain of the information provider. When a user of the information resource targets the CookiePusher, the information resource can determine the following:
  • The location of the user's SFX server, read from the BASE-URL parameter of the URL by which the user connects
  • The URL within the information system to which the user wants to connect, read from the Redirect parameter of the URL by which the user connects
Based on the first of the above, the information resource can register this specific user preference appropriately. For instance, it can set a long-lasting cookie in the user's browser, containing the BASE-URL of the user's SFX server. This enables the information resource to detect the user's preference from the browser during all future visits. This is the approach shown in the following sample CookiePusher script:

#!/sfx/app/perl/bin/perl

#

# Version: $Id: pushcookie.cgi,v 1.1 2000/04/05 12:03:51 sfx Exp $

#

# Authors: Patrick Hochstenbach, <Patrick.Hochstenbach@rug.ac.be>

#

#

use CGI;

my $cookie_path = '/cgi-bin';

my $cookie_expires = '+6m'; # Expires in 6 months

my $query = new CGI;

{

my $BASE_URL = $query->param('BASE-URL');

my $Redirect = $query->param('Redirect');

my $cookie = $query->cookie(

-name => 'user-OpenURL',

-value => $BASE_URL,

-path => $cookie_path,

-expires => $cookie_expires,

);

print $query->redirect(

-uri => $Redirect,

-cookie => $cookie

);

}

The information system does not necessarily have to transform the knowledge of the BASE-URL of a user's SFX server into a cookie. For example, it can add the information to other session-related information or store it in the user's profile.
Parameters expressing preferences of the institution, other than BASE-URL and Redirect, can potentially be provided via the CookiePusher mechanism. However, during the initial deployment of the SFX solution, it is recommended that these preferences be hard-coded. The information provider is encouraged to support the following preferences:
  • Insertion of an SFX button in the output of the information resource. For each SFX server, the clickable image to be hyperlinked with an OpenURL is always located at BASE-URL/sfx.gif .
  • Opening of the SFX menu screen - Clicking the SFX button (the OpenURL) opens a browser window with the following properties:
    • window name = SFXmenu
    • location = no
    • status = yes
    • menubar = no
    • scrollbar = yes
    • resizable = yes
    • width = 460
    • height = 420

Institutions Using an SFX Server with CookiePusher

If an information provider installs a CookiePusher script as a means to detect the institution's preferences regarding an SFX server, the institution must make sure it connects its users to this resource via its CookiePusher. This has to be done for all SFX sources that have implemented the CookiePusher script. There are two ways in which an institution can do this:
  • Enhancement of the Institutional Menu System
  • Creation of a Special HTML Page

Enhancement of the Institutional Menu System

An institution can enhance the institutional menu system so that it points to the information resource's CookiePusher script rather than to its start-up URL. The following example shows how an institution can use this technique and insert a URL in its menu system that targets an information system via its CookiePusher.

If an institution's OpenURL-aware service component is located at:

http://sfxserver.university.edu/sfx_local

If the URL used in the institution's menu-system to connect to an information resource is:

http://www.info.com/cgi-bin/start.cgi

If this information resource's CookiePusher is at:

http://www.info.com/cgi-bin/pushcookie.cgi

Then registration of the location of the institution's SFX server within the information resource is achieved by editing the institution's menu-system, changing the URL to:

http://www.info.com/cgi-bin/pushcookie.cgi?BASE-URL=http://sfxserver.university.edu/sfx_local&Redirect=http://www.info.com/cgi-bin/start.cgi

In reality, this URL must be UTF-8 encoded:

http://www.info.com/cgi-bin/pushcookie.cgi?BASE-URL=http%3A%2F%2F sfxserver.university.edu%2Fsfx_local&Redirect=http%3A%2F%2Fwww.info.com%2Fcgi-bin%2Fstart.cgi

Creation of a Special HTML Page

An institution can set up a special HTML page to which the users who want to take advantage of the SFX server are asked to connect. Connecting to this page automatically registers the location of the user's SFX server in all the information resources that use the CookiePusher.
For each information resource, this HTML page should contain a link to an image that is stored on the information resource's server. Instead of a direct link to the image, a detour is taken via the resource's CookiePusher script.
When the HTML page loads and the image is requested from the information provider's server, the cookie is set in the user's browser. The following example shows how an institution can use this technique to create an HTML page that connects to the CookiePushers for all their OpenURL-enabled resources.

If an institution's SFX server is located at:

http://sfxserver.university.edu/sfx_local

If the institution has access to two information resources that have installed a CookiePusher:

CookiePusher for resource 1 is at http://www.info.com/cgi-bin/pushcookie.cgi

CookiePusher for resource 2 is at http://www.moreinfo.com/cgi-bin/cookieset.cgi

Then the installation should locate a readily accessible image in each of those information resources, for instance:

For resource 1 at http://www.info.com/images/info.gif

For resource 2 at http://www.moreinfo.com/gifs/welcome.gif

Registration of the location of the institution's SFX server within both information resources can be achieved by creating a HTML page that contains the following lines:

<img src="http://www.info.com/cgi-bin/pushcookie.cgi?Redirect=http://www.info.com/images/info.gif&BASE-URL=http://sfxserver.university.edu/sfx_local">

<img src="http://www.moreinfo.com/gifs/welcome.gif?Redirect=http://www.moreinfo.com/gifs/welcome.gif&BASE-URL=http://sfxserver.university.edu/sfx_local">

Again, these URLs must be UTF-encoded.

When using the CookiePusher mechanism, the privacy settings of the user's browser are important, since the browser needs to allow the setting of third-party cookies. By default, the privacy settings do not allow the setting of third-party cookies. Ensure that you override the default settings and configure the browser to accept all cookies.

CookiePusher Compatibility

The default privacy preferences in Internet Explorer 6 and later prevent setting the BASE-URL cookie in a third-party context. Users setting cookies from DOI, arXiv, and IOP have reported this problem.

Description of Problem: Symptoms and Scenarios

  • Setting the BASE-URL cookie by embedding the cookiepusher.cgi request in an image does not work in IE 6 and later. The browser shows the icon of an eye in the status bar. The HTML code that represents this scenario is:

<img src="http://www.doi.org/cgi-bin/pushcookie.cgi?BASE-URL=http://demo.exlibris group.com:9003/demo&Redirect=http://www.doi.org/images/banner_foundation.gif">

  • Setting the BASE-URL cookie by redirecting the user to cookiephusher.cgi within a Web page with frames does not work in IE 6 and later. The browser shows the icon of an eye in the status bar. The HTML code that represents this scenario is:

<!-- JavaScript begins ...

function jump (page) {

window.location = page;

}

// JavaScript ends -->

<form name="jumpform" >

<select name="pages" onChange="window.status=this.options[this.selectedIndex].text" >

<option SELECTED value="http://sfx2.exlibrisgroup.com:9003/cgibin/pushcookie.cgi?BASE-URL=http%3A//sfx2.exlibrisgroup.com%3A9003/sfx_local&Redirect=http%3A//www.sfxit.com/no_p3p_compliant.html">

Ex Libris SFX Server

</select>

</span>

<INPUT VALUE="Go" TYPE=BUTTON onClick="jump(document.jumpform.pages.options[pages.selectedIndex].value)">

<br>

</FORM>

Technical Explanation of the Problem

According to the default IE 6 (and later) settings, which most users never change, third-party cookies are blocked when they do not have compact policies or when they have unsatisfactory compact policies. The BASE-URL cookie is blocked in the scenarios described above because they are being pushed in a third-party context and do not have P3P compact policies.

Third-Party Cookies

Cookies are associated with a Web page or with an image or other object embedded in a Web page. When a page or object is served, the server adds a special header that "sets" the cookie on the user's machine. Sometimes, Web pages include images, frames, or other content that is located on a site with a different domain name than the page in which it is embedded. For example, it is quite common for Web sites to embed banner advertisements that are served by an ad company. If any of these "third-party" images or objects set cookies, they are referred to as third-party cookies. Since the SFX CookiePusher resides in a domain such as doi.org and tries to push a cookie in a Web site such as library.edu, IE 6 (and later) considers it a third-party cookie.

Preventing IE 6 (and Later) from Blocking My Cookies

To prevent IE 6 (and later) from blocking cookies, you must make sure that all of the cookies, especially in a third-party context, have P3P compact policies associated with them, and that those compact policies are considered satisfactory by IE 6 (and later).

P3P

The full name for P3P is the Platform for Privacy Preferences Project. P3P 1.0 is an official "recommendation" of the World Wide Web Consortium (W3C) that was approved in April 2002. P3P provides a standard way for Web sites to encode their privacy policies in a computer-readable XML format. This allows P3P-enabled Web browsers and other P3P user agents to fetch P3P privacy policies automatically, parse them, and compare them with a user's privacy preferences. P3P user agents can use the information in a P3P policy to provide a summarized version of Web site privacy policies to users. For example, IE 6 (and later) offers a Privacy Report option from the View menu.
The P3P 1.0 Specification also defines an abbreviated version of a P3P policy -called a compact policy-that can be transmitted in HTTP headers when cookies are set. Some P3P-enabled browsers, such as IE 6 (and later), use the information in P3P compact policies to make cookie-blocking decisions.

Solution

A new version of the CookiePusher CGI, called p3p_pushcookie.cgi, has been created. This new version pushes not only the standard BASE-URL cookie, but sends P3P Compact Policies as part of the HTTP header. The new CGI is fully compliant with the IE 6 (and later) default privacy values. The two third-party scenarios described above are no longer a problem.
The compact policy implemented by the new CookiePusher CGI is:
CP="NOI DSP CURa ADMa DEVa TAIa OUR IND COM NAV OTC"
The following table explains the meaning of each field in the compact policy.

FieldMeaning

CP=This is the compact policy header; it indicates that what follows is a P3P compact policy.

NOINo identifiable information is collected, so no access is possible.

DSPThe policy contains at least one dispute-resolution mechanism.

CURaThe data is used for completion of the current activity.

ADMaThe data is used for site administration.

DEVaThe data is used for research and development.

TAIaThe data is used for tailoring the site.

OURThe data is given to ourselves and our agents.

INDThe data will be kept indefinitely.

COMComputer information is collected.

NAVNavigation and clickstream data is collected.

OTCOther types of information are collected.

The P3P Compact Policy included in the p3p_pushcookie.cgi is enough to solve the problem with IE 6 (and later) and third-party cookies. Nevertheless, the standard P3P recommends that an XML and an HTML representation of the policy should be posted on the Web site where CGI resides. If someone wants an XML and HTML representation of the compact policy hard-coded in p3p_pushcookie.cgi, the following files have been created:

/exlibris/sfx_ver/sfx4_1/<instance> /templates/p3p_samples/p3p.xml

/exlibris/sfx_ver/sfx4_1/<instance> /templates/p3p_samples/sfx_p3p_cookiepusher.html

/exlibris/sfx_ver/sfx4_1/<instance> /templates/p3p_samples/sfx_p3p_cookiepusher.xml

The P3P standard specifies that these files should be accessible via http://host.edu:9003/w3c/.

References

  • W3C Platform for Privacy Preferences 1.0 Specification:

http://www.w3.org/TR/P3P/

  • O'Reilly Network: Help! IE 6 Is Blocking My Cookies:

http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html