Is it possible using ASP.NET to globally block all cookies (including 3rdparty ones) that are dropped when someone is on my site?

Question

The context of this is around the much hyped EU Privacy law which makes it illegal for a site to drop any "non-essential" cookies unless the user has "opted in" to this.

My specific challenge is due to the complexity of the site and the variety of different ways cookies are being dropped - particularly where governed by a CMS that has allowed marketeers to run riot and embed all sorts of content in different places - mostly around 3rd party cookies where there is embedded javascript, img pixels, Iframes e.t.c. (I'm speculating these all allow the dropping of 3rd party cookies having briefly browsed key areas of the site using a FF plugin - I haven't checked the mechanisms of each yet).

So, I've been trying to think whether in ASP.NET there would be a way to globally intercept and block all cookies that get dropped by my site should I need to, and also extend this to check whether they are essential or not, and if not, whether the user has already agreed to having cookies dropped (which would probably consist of a master YES cookie).

There are several things I am unclear about. First - would it be possible to use Response.Filter or Response.Cookies as a pipeline step to strip out any cookies that have already been dropped? Secondly - would it be possible for this to intercept any kind of cookie whatsoever or is it going to be impossible to catch some of the 3rdparty ones if they are executing browser requests from the client to the 3rdparty server directly?

The closest thing I could find that resembles my question is this but that looks like a sitewide solution - not user specific.

Answer 1

A reverse proxy with URL rewriting could probably do this for you. If you spend the time tracking down the resources and implement the heavy hammer of allow/disallow cookies and rewrite 3rd party URLs to go through your reverse proxy. The you can hijack and modify their set-cookie responses. In addition if they set cookies on the client through JavaScript they would be through your server/domain so you would have control over if they are forwarded or not.

This is not a simple solution but it should be possible and could be implemented without changing the application or the user experience.