Forum Moderators: open
So lets talk about it. What is the risks of cookies. The W3C has a Faq about this here:
[w3.org...]
As you can see there are always ways to make the web insecure, but is this really a huge issue? Personally I don't think so. As a developer I want to make sure my sites don't store private info like CC numbers and socials in a cookie, but a perference is really not that big of a deal. I try to read privacy policies to make sure that my information is not being sold or shared.
So what about domains being able to infiltrate other domain cookies. Well if this is happening then there is a bug in your browser. It is not suppose to happen. Here is a section of the purposed standard to the W3C by Netscape.
HTTP State Management Mechanism - Proposed Standard RFC 2109 [w3.org]
The following rules apply to choosing applicable cookie-values from
among all the cookies the user agent has.Domain Selection
The origin server's fully-qualified host name must domain-match
the Domain attribute of the cookie.
Domains should not be able to read a cookie from another domain. The fully-qualified host name must domain-match the Domain attribute. Has this been exploited in the past? Yes.
Internet Explorer [news.com.com]
Mozilla [alive.znep.com]
But it is a bug that the browser manufacturers put out patches for when it is found.
Then there are ad companies like doubleclick that set cookies that do track you around the internet. Many people loathe this and is part of the stigma that cookies have been given. These cookies have more information than most sites have since they know where you have been.
So we have all heard many different stances on cookies. A lot of them are old news and were fixed. What do you think? Good, bad, ugly?
Anyone turned cookies completely off in their browsers?
i worry much more about malicious websites which secretly install Internet Optimizer and Alert programs on my machine. not to mention all the probes, whether malicious or not.
i've also found that lots of people who worry over cookie use are the same people who never update their virus protection programs or install security updates and wonder why programs crash everytime they open them. go figure. they also tend to be clients who worry more about why smileys are not showing correctly in Incredimail :)
The basic rule of thumb for using cookies should be 'does setting a cookie benefit the user in any way?'. I once had a client who wanted me to use cookies on their site but they couldnt come up with a reason why, they just thought everyone else uses them so why dont we?
One thing I find extremely anoying is when you are browsing a forum and somebody has an img in their signiture which is called from another domain and it wants to set a cookie, grrr.
Then there are ad companies like doubleclick that set cookies that do track you around the internet. Many people loathe this and is part of the stigma that cookies have been given. These cookies have more information than most sites have since they know where you have been.I get the feeling that to many of the more paranoid users out there, cookies = invasion of privacy, tracking, etc. Not that they're a means to tracking and invasion of privacy, but that they are tracking and invasion of privacy.
But once you start using cookies in your own scripts, then you understand what they actually are. :)
It's a peace of mind thing I suppose too - nice to know they won't be staying there in the future.
Combined with the 'confirm before accepting' option, I've a good degree of control over the cookies I chose to accept, although I've no doubt the majority of users might be phased if presented with the continual pop-ups I endure whilst confirming cookies.
Anyone turned cookies completely off in their browsers?
Yes, albeit briefly; and it was quite surprising to find the number of sites that didn't appear to work properly once cookies were denied.
cookies = invasion of privacy, tracking, etc
In the minds of many users, that's quite true. A number of fairly high profile stories earlier in the year blew the issue of cookies out of all proportion, pouring uninformed and poorly researched information onto an audience who respected the publication and took it to heart, some believing their every move was being tracked and recorded.
I'll confess to having used cookies on occasion, but only where their inclusion is fairly critical to the function of the respective site. Setting an anti data-mining cookie on a search for example, to prevent automated bots stealing information - or a cookie to store the user's language option for that site. In all cases, the cookie is followed by a comprehensive P3P policy and a companct policy in the page header to keep newer IE users happy. The majority of sites I've visited don't offer a privacy policy to users and in any case, is the end user aware of the existance of such things and what they mean?
I've no problem with cookies, provided they're used 'properly' and judiciously, rather than being dropped into pages for no apparent reason, as seems to often be the case.
My 2 cents worth!
R.
So do you think that the normal user is not phased by cookie use? Is the length of the cookie concerning?
I think the average IE user barely knows what a cookie is, let alone when a site is using them or how big they are.
For those that do know what a cookie is and what they are used for, that user can decide whether the cookie has a reason to exist. A good rule of thumb would be that a cookie is not needed unless the user performs an action that requires one(like logging in, or adding something to a cart etc). Navigating through a site is not an action that requires a cookie.
Navigating through a site is not an action that requires a cookie.
That's completely true. A site should be readable without cookies.
But cookies can add value even to navigation.
I have sites that show breadcrumbs trails -- useful for a user who is doing a load of navigating around. I can't do that without a cookie. (And, if they don't like the breadcrumbs, they can turn them off).
