Problems with Cookies

Previous Table of Contents Next

Problems with Cookies

Before using cookies in an application, you should be aware of the problems associated with cookies. For these reasonsand others that may crop up in the futureyou should be careful to design your web pages and CGI programs so that cookies are entirely optional.

For example, if you're using cookies to store user preferences, you should use a default set of preferences if cookies are not available. You must code defensively.

Cookies Are Ephemeral

As I've mentioned throughout this hour, cookies are ephemeral. Cookies can be deleted from the user's system, edited by the user, or simply thrown away by the browser for no apparent reason. A browser can accept the cookie, use it for a short time, and then simply forget it for no apparent reason. If you've set up persistent cookies using -expire, the browser can still throw away the cookie without telling the user.

Cookies Aren't Always Supported

Not all browsers support HTTP cookies. The Internet standards that apply to HTTP and web traffic don't guarantee that browsers must support cookies.

I'm not suggesting that most browsers don't support cookies, because they do. Netscape (since version 1.1), Internet Explorer (all versions), Lynx, Opera, and most popular web browsers do support cookies. In most of them, though, the user has the option to turn off cookie support.

Even if you've used the CGI module's user_agent function and determined that the intended browser should support cookies, don't count on it.

Some People Don't Like Cookies

The title of this section might be hard to fathom: Why on earth would someone not like cookies?

Surfing the web is essentially an anonymous activity. As you've seen in previous lessons, when a web page is requested by a browser, the request happens in a vacuum. The server doesn't necessarily know where the browser's been or the last time a page on this site was requested by this particular browser.

By the Way

Remember: One browser does not necessarily represent one user. A browser can be shared by many people in a household, kiosk, Internet café, or public access site, such as a library. Setting (or changing) a cookie for one person might actually set it for several people.

Cookies can be used to track where people have been on a particular site and what items they've clicked. If you're concerned about privacy, this might be alarming. For example, a bookstore might track which books the web surfer clicked on for more information. That information can be used to tailor lists of books to present to the surfer.

On the surface, this feature seems convenient. For people concerned about privacy, it presents two problems. First, now an entity keeps track of the kinds of books in which the web surfer is interested. If that information is ever correlated with the web surfer's name and addresspossibly obtained from a fill-out form from another site that is sharing information with Congo.comthe surfer might start receiving junk mail related to his or her book selections. The more information that's shared by cookie-gathering sites, the more detailed a "profile" that can be assembled about the web surfer.

Beyond the privacy issue, if the first two books examined were categorized as "Computer" books, the web site might stop offering books to the web surfer in the "Romance" and "Cooking" categories. The web site channels the surfer into categories that might be difficult to escape.

By the Way

You might be surprised at how often cookies are used to collect and store information on your browser. Just turn on cookie confirmation in your browser, and visit any popular web site.

People have been known to go to great lengths to avoid cookies. Web browsers that support cookies all offer features to turn off cookies, and some allow you to examine cookies as they're set on the browser. Add-on software packages are available to filter cookies that are sent to and from your browser and allow you to edit them. Web sites are designed to allow you to surf other web sites anonymously without having cookies gathering information about you.

In short, some people consider HTTP cookies as an invasion of privacy, so you should be careful how you use them.

    Previous Table of Contents Next
    © 2000- NIV