Cookie consent feature

[glennc]

In order to help customers implement cookie compliance policies, like GDPR, we want to introduce a few concepts:

• Cookie Reason when creating a cookie
• Middleware that detects if consent for cookies of non-essentialreasons has been granted
• IFeature to allow code to reason about the consent status
• Modify CookieBuilder so that non-essential cookies can be blocked unless consent has been granted.

[glennc]

Cookie Policy Tracking Consent

• The name "consent" is problematic (Barry doesn't like it)
• We're reusing CookiePolicy to do this.
• CookiePolicy changes:
  • Add ITrackingConsentFeature to request
  • Add WithdrawTrackingConsent method to ITrackingConsentFeature
  • Merge TrackingCookieOptions
  • Use the IsTrackingConsentRequired delegate along with the IsEssential property on the cookie to determine if the cookie should be written out
  • Default behavior is for IsTrackingConsentRequired to always return false
• Add "IsEssential" to CookieBuilder/CookieOptions
• Template would:
  • Add CookiePolicy middleware.
  • Set IsTrackingConsentRequired to always return true.
  • Add UI that uses IOptions<CookiePolicyOptions>, gets the tracking cookie name and generates UI and JavaScript to set the cookie in the browser.
  • Provide UI to withdraw consent as well (by deleting the cookie).
• Maybe IsEssential should be a CookiePurpose enum instead of a boolean.
• Our AppInsights tag helper will need to read the Tracking Cookie feature data to determine if the AppInsights JavaScript is to be rendered.
• Open Questions/Things:
  • Session Cookies
  • Outgoing links and loading data from other domains
  • Barry needs to 🚲🏠 on the names "tracking" and "consent"

@Tratcher assigned to modify the CookiePolicyMiddleware to support this.

[blowdart]

Bah, the GDPR uses consent everywhere, so i acquiesce to Consent being the name.

Consent is wider than tracking cookies, it's "personal data processing", but as here we're limiting ourselves to cookies, and they are not necessarily tracking cookies, how about "IdentifyingCookie(s)", because they identify the user in some manner?