>go back and convert to session variables

Not if you want search engines to index your site.

Well, I'm referring to passing status on server-side form validation through cookies.

Nothing that's "do or die" when it comes to displaying the actual site. I just use cookies so that I don't have to bother with long, easily-manipluated querystrings or javascripts.

Basically, something like:

<%
' Sets validation error cookie and refreshes page
Response.Cookies("mysite")("error")=1
Response.Redirect "/page.asp"

' Looks for error cookie and displays error
IF Request.Cookies("mysite")("error")=1 THEN
Response.Write "Sorry, user name already exists."
Response.Cookies("mysite")("error")=""
Response.End
ELSE
' Just loads the default page
%>
WEB PAGE CONTENT
<% END IF %>

The thing about session variables is that they use session cookies.

So anyone whose browser won't accept cookies because it is full of them, or anyone who turns their IE security settings to "high" will still have problems.

Very very few people though. Don't have any data, but 10% sounds a bit high to me.

Can't believe SEs can handle cookies but not session variables though, rcjordan

[webmasterworld.com...]

msg 16.

Can't believe SEs can handle cookies but not session variables though, rcjordan

No current SE spiders handle cookies and by extension they don't handle session cookies either. They don't like or dislike them - they simply get ignored.

I think what RC Jordan meant was that if you start putting SessionID's in the URLs in order to bypass the cookie problem it really messes with search engine spiders...

- Tony

I have data driven sites highly dependent on cookies and with over 500 users I only had one not be able to access the site because of cookies disabled.

Sorry - cookie-less sessions didn't even cross my mind!

Anyway been thinking about this and perhaps the 10% figure could refer to the number of all cookies which are blocked.

A big problem is using cookies where your site may appear within someone else's frameset (eg. people referred by ask). Then your cookies become "third party" cookies and get blocked by many modern browsers (well, IE 6 at least) - but you can get around this by using javascript to force your pages to the top.

Hypergeek, before you recode your site, why not set up some code using the browser capabilities component in ASP to test whether or not your users are cookie-challenged (or just set the code to get information from the cookie just after setting it - haven't tried this and not sure it would work).

I set up a tracking script last year to check ROI, if the clients browser does not support cookies it writes:
--Does not support cookies--
into my data base.
In checking my completed orders since 01/01/03 there are 79 that had the no cookies note in their order. That is just about 10% of completed orders.

>That is just about 10% of completed orders.

Whooa, lets back up Conard.

Are you saying that if cookie support was required you could have lost that 10%?

...and the plot thickens.

Conard, how did they order without cookies being enabled? What process do you use to circumvent this?

Sullen, I'm thinking of putting a cookie detection into the frame of the site. Then I'll simply re-direct the user to a page that shows a caveman chiseling a rock with an ad for my old 286/12 and 2600 baud modem - 'cause if they don't use cookies, they're living in the stone age... either that or they're using WebTV (which is *just like* living in the stone age).

NFFC
You asked:

Whooa, lets back up Conard.
Are you saying that if cookie support was required you could have lost that 10%?

Yes, if just cookies were required I would have lost the orders. I started to see this from potential customers emails for help. It was always a cookie issue.
What I did to handle it was to implement a session id passed through in links from the dynamic cart where all robots are banned.
I did have a guy last week with some odd security settings with IE6 and a firewall and the session id would choke his browser, but I can't replicate the problem with any combination I have tried.

There are plenty of firewall products out there that have options to block cookies. And unfortunately there is still a lot of FUD about what cookies actually do (probably spread by firewall companies :)).

You can always test if cookies are set (by setting one and then trying to read it on the next page). If they are not set then you can fallback to putting the session id in the url (known in php as a transparent sid).

This is a little less secure (as users may bookmark an existing session, mail the url to friends or deliberately alter the sid) which is why I don't use it by default.

Also you can reduce the chances of your cookie being rejected by implementing a proper p3p privacy policy [w3.org] and sending P3P headers with the cookie.

I never accept cookies unless I benefit from it - ie user preferences but that's it.

Why should I let anyone see where I'm surfing to and from?

I'm thinking of putting a cookie detection into the frame of the site. Then I'll simply re-direct the user to a page that shows a caveman chiseling a rock with an ad for my old 286/12 and 2600 baud modem - 'cause if they don't use cookies, they're living in the stone age

Antagonizing users is a great business model :) :)

As Jaze writes:

I never accept cookies unless I benefit from it

I refuse all cookies unless there is a damned good reason for me to accept them. Bulletin boards and other places which store my preferences are one example. I do most of my shopping at sites that I know, I also accept cookies from them.

Any site that relies on either cookies or pop-ups to communicate with users is going to face increasing problems as time passes.

'cause if they don't use cookies, they're living in the stone age... either that or they're using WebTV (which is *just like* living in the stone age

I was once read a great saying 'take the stick out of your own eye, before you take the speck out of others'.

Jaze says

Why should I let anyone see where I'm surfing to and from?

This is exactly the sort of hype I was talking about.
People believe that cookies somehow invade their privacy.

But it's nonsense. In fact since cookies are set and read by the server, they can only really keep track of things that you have already made public in some way.

Jaze: we don't need cookies to find out where you came from. That information is in your http headers and is logged by most websites. Switching off cookies doesn't hide it. :)

Personally I'm quite happy to have IE6 at its default cookie setting (which blocks third party cookies).

One of our clients is a state government whose governor has issued an executive order explicitly banning the use of cookies on state sites, which would include the sites we maintain for them. Maybe it's paranoid, maybe it's overkill, maybe they are simply ignorant-- doesn't matter a whit. Lil' us aren't exactly going to lobby the state legislature over this, we just deal with it. People can be self-righteous all they want about JS, or cookies, or Netscape 4, but in the end, your publics are what matter, not techological ideologies.

10% does seem high. It probably depends on your visitor profile.

If your business depends on the likes who haunt WW, yeah, then the number with cookies restricted or turned off is going to be very high. And some IT folks might preset corporate machines for higher privacy and security.

If your visitors are consumers using AOL, MSN, Earthlink or anything else "out of the box" I *assume* the percentage fiddling with cookies drastically drops, though as more people go with DSL and cable there will probably be an increase as folks become more aware of firewalls and the security and privacy issues involved.

People can be self-righteous all they want about JS, or cookies, or Netscape 4

Me? Self-righteous?
Well maybe a little about Netscape 4. ;)

But in this issue I was just suggesting reasons why 10% of users might have cookies turned off (FUD - Fear/Uncertainity/Doubt).

As you point out, it doesn't really matter that their fears are groundless. All that matters is that they have chosen a setting and we need to cope with it.

However, depending on your site, one valid course of action may be to educate...

Some features of this site require cookies, which you currently have disabled.
Click here to learn more about cookies.
Click here to find out how to enable cookies.

Obviously this suits some sites better than others and it doesn't suit your state government sites at all.

Antagonizing users is a great business model :) :)

Hey... it works for Yahoo! and LookSmart.

People believe that cookies somehow invade their privacy.

I tell you what, everyone should be using *SpyBot*.

It finds all notorious cookies and deletes them. Then you can also "immunize" your system against them so that they cannot be written to your system (along with other, even worse, forced downloads). Excellent, and FREEWARE!

By the looks of how many unwanted cookies this thing can find on a daily basis, I know where the general public is coming from... but I do think that without the FUD, at least half of those users would allow cookies if they were just educated a bit.

This to me is golden:

Some features of this site require cookies, which you currently have disabled.
Click here to learn more about cookies.
Click here to find out how to enable cookies.

Short and sweet... thank you GrahamStewart. I believe that, in the end, if I go the extra step to provide some information about cookies and their use on the site, it may de-mystify the issue for a few people...and that might result in more sales going through.

This is the best I can do for now since I don't like to pass code mechanics through querystrings. It's cheap when I can type...

[yoursite.com...]

...and view your error message because it's string dependent. Doesn't this seem sloppy to anyone else?

Jaze: we don't need cookies to find out where you came from. That information is in your http headers and is logged by most websites. Switching off cookies doesn't hide it. :)

And if I'm going via a proxy? And what about dynamic IP addresses? Without cookies you wouldn't be able to determine if I was the same person or not! Particularly over longer periods...

HyperGeek says:

I tell you what, everyone should be using *SpyBot*

I thought SpyBot was targeted at spyware? What 'notorious' cookies does it block? are they actually browser cookies or are they set elsewhere (i.e. by a media player for instance)

It's cheap when I can type...
[yoursite.com...]

Well you could do everything through POST variables instead - which will hide that - but its a lot more hassle.

Jaze saze:

And if I'm going via a proxy? And what about dynamic IP addresses? Without cookies you wouldn't be able to determine if I was the same person or not! Particularly over longer periods...

Does your proxy also strip out the Referer header?
How about the X-Forwarded-For header?

Even if it does, you could still be tracked around your visit to a site by your IP address (unless you are using a proxy farm with load balancing - in which case we'd just know the IPs of your proxies instead). But we could still follow you by using session ids in the url or post data.

Dynamic IPs and no cookies - yup that should stop us figuring out that you are someone that has visited before. But if that was a requirement then I'd make you login anyway.

But this isn't the point - the point is: why block this information?

Cookies can only be read or set by their own domain. So you are only really revealing information like "Hello, I'm the same PC that visited last week" or "Yes, I already have an account here". They do NOT reveal what other sites on the web you have been visiting. So what harm is done?

The only addendum to this are third party cookies (where multiple sites have content loaded from a single central site that sets and reads cookies). Here the central site could track your movement through the other sites but this requires two things: A) the consent of the other sites B) your consent to accept third party cookies.

IE6 blocks third party cookies by default, so no worries there.

The U.S. federal government has blocked persistent cookies from all federal websites for three years now.

It is a privacy issue, and just because WebmasterWorld posters don't like it because it keeps widgets from getting shipped as fast as they might be otherwise, doesn't mean that everyone else is dumb and WebmasterWorld posters are smart.

Surly you’re not suggesting that the U.S. federal government is smart.
That is the definition of an oxymoron.

When I go to the local shop, the storekeeper might recognise me. He may even remember what I usually order.

Likewise, when I got to the pub, the barman might know what I like to drink.

These are exactly the same "privacy issues", but they don't concern me in the slightest.

Do federal employees wear disguises in public? Do they only pay by cash? Do they keep that cash under the bed?

Does your proxy also strip out the Referer header?
How about the X-Forwarded-For header?

OK, I'm learning something here... it does make it a lot more difficult for most webmasters/seos/sems to track what I'm doing.

But we could still follow you by using session ids in the url or post data.

That still doesn't assist long term tracking which is what the cookies are set for isn't it? Unique ID's to keep track of visitors...

Dynamic IPs and no cookies - yup that should stop us figuring out that you are someone that has visited before. But if that was a requirement then I'd make you login anyway.

So, a good reason to block cookies then! And logging in becomes another search engine issue...

But this isn't the point - the point is: why block this information?

Most sites still function without them, so why not?
Ok, getting a bit silly there. You've made me think and I thank you for that. I'm still reluctant to accept cookies. In most cases I don't see why people should use them in the first place other than for tracking. Perhaps it's just my way of saying 'why are you trying to store info on my computer'? Or perhaps I just like being difficult. ;)

I believe there are scripts out there for accessing cookies from other domains and it is in the form of JavaScript - or has that hole been patched in IE? :)

OK, I'm learning something here...

If you want to see what headers your browser is actually sending then check out a Header Request Viewer like the one at [delorie.com...]

In most cases I don't see why people should use them in the first place other than for tracking.

Absolutely! The main use for cookies is to help uniquely identify your computer. But thats not neccessarily a bad thing, since it allows websites to have nice features like automatic login, site preferences, personalised content.

Or perhaps I just like being difficult.

Fair enough. I reckon thats probably a more valid reason then the oft cited 'privacy concerns' :)

I believe there are scripts out there for accessing cookies from other domains

There may have been - but these would take advantage of bugs in the browsers rather than fundamental privacy issues of cookies. I'm pretty sure that any holes in IE have been patched.

Incidentally, don't you find this site difficult to use without cookies? Don't you have to login every time you want to post? And how do you keep track of what threads you have read?

I think I said at the start of the thread something along the lines that I don't mind cookies if they benefit me. So yes, I accept WebMasterWorld cookies, and no it's not difficult to use ;-)

I don't have a problem with the likes of this site that stores my preferences for a site, it benefits me, I don't have to log in each time. but when you see how many sites throw five or six cookies at you, you really start to wonder why!?