The volume of information on the Internet is almost too staggering to contemplate, especially for such a youthful system of storing and presenting information - compared to the millennia old practice of scribbling on bits of parchment. Internet users have access to most of this information at the touch of a button, but for many the presentation is too impersonal and users will rarely return to a site if they feel it isn't working to fulfil their needs. For the budding web designer, this would be a worry if it wasn't for a small text file that can hold the key to a successful and personalised web experience - the diminutive 'cookie'.

What Are Cookies?

A cookie¹ is a small text file created by a web page and stored on your computer in a folder that is intended to specifically contain these little bits of information.

The simplest way of understanding exactly what a cookie is would be to visualise it as a note on a scrap of paper. A basic cookie typically has this information on it:

• Name - This is defined by the web site which creates the cookie.
• Domain - For example bbc.co.uk. This tells your browser which web sites this cookie should be sent to.
• Path - This tells the browser what subset of pages on that web site it should send the cookie back to.
• Expiry date - This tells the browser when to remove the cookie from its store.
• Content - Content can be anything the web site wants. Typically, it's some form of unique identifier, so that the web site knows it's you.

People with paranoid tendencies may point accusing fingers at cookies as hoarders of personal and sensitive information that might be abused in some way. However, if the cookie contains any personal information then it is something you gave it.

So, with a cookie stored somewhere in your system, every time you go to the same site that gave you the cookie (for as long as the cookie persists), your web browser hands the cookie (or note) back to the web site who reads it and says 'Ahh, I remember now!' and acts accordingly.

Reasons for Using Cookies

Gathering Visitor Data Helps Design Better Sites

By way of example, if the webmaster notices that many visitors use Opera on a Linux operating system, they can make sure to design a page that works well with that setup. The next time someone comes along and tells them 'I'm using Opera with a Linux machine' in their cookie, the site will give them the page that looks the best for them.

Similarly, let's say you visit several pages in a large site, ignoring the ones in which you have no interest. By the fact that the server knows that user 532 (you, for the sake of this example) visited all these same pages, it knows there is one random person out there that liked this one group of pages. If a thousand people visit the same group of pages that tells the people who run the site that they need to arrange the pages to make it simpler for people to visit those same group of pages, because clearly they are popular and of significant interest to those people. This is similar to the practice of putting the peanut butter next to the jelly in the grocery store.

In these instances, this is not tracking you personally, this is helping the sites gather statistics that they can use to improve their site, which eventually helps you because you get better service from them.

Remembering Visitor Preferences

Now, let's say the web site asks you what colour you would like the background to be when you are reading pages. You choose white because it's easy to read. This information is packaged into a cookie and stored on your computer for future reference. Then when you go to a page on that same site, your browser hands the appropriate cookie back that says 'Hi, I'm user 532 and I like white backgrounds' and the site says 'Great, I will make it white for you' and gives you the page in white.

Online shopping

For those who use the Internet to going shopping without leaving their home, the cookie also serves a purpose. If you want to buy something from a site and you click on the thing you want to buy, the site will respond accordingly. The site server may say, 'I could give you a cookie saying what you just put in your cart, but if you buy too much it will be a pain, so here, have a cookie saying you are using shopping cart number 37 and I will remember what is in it.'

So then your buddy interrupts your web browsing to send you a message. It contains a link to a webpage featuring a picture of his dog playing ping pong with a squirrel and you go look. This means you have left the web site completely, but not to worry, the site will remember you.

After having a good laugh you go back to the site and hand it your cookie that says 'Hi, I'm user 532, I like white backgrounds, and I was using shopping cart number 37' so the site says 'Great! I know you, here have a white background, and, by the way, I am still holding those things you wanted ready for when you want to go to the checkout.'

Since the cookies created for online shopping can contain data such as credit card numbers, websites that use online shopping carts should always do their business transactions through secure servers. They should also have their privacy and security policies available for people to read and understand.

Advertising

A further use for cookies is tailored advertising to match your interests. Large advertising firms contract with various websites, and those sites agree to send their cookie information to the advertisers for an idea of how many people visit what kinds of sites. The cookies tell the advertisers what site you came from and where you went to once you left. So, that's why each time you visit a site you will see a different banner ad since the cookies keep track of which ones you've already seen. It can also tailor the ads to things you are more likely to buy based on what sites you've visited recently.

Security Issues

When cookies were first introduced, there were massive security holes that allowed people to easily read the information stored on the cookies. Some of the most glaring problems were addressed, but there are still concerns.

One personal solution you can do yourself is to set your browser to not accept cookies. This can make web surfing rather difficult, since more and more sites use cookies and in some cases certain areas of the site will not even function at all if cookies are not enabled. With cookie acceptance switched off you will often find sites telling you that you can go no further than a certain point without activating them.

Another option is to change your browser settings so that it asks you whether or not you wish the website to create a cookie for you. This gives you more control, but it also can be time-consuming given the number of websites that generate cookies. You may be surprised by the number of specially-tailored cookies that are thrown at you by visiting just a single site.

Finally, most browsers have some sort of middle ground that allows some cookies but not others. In Netscape, you can specify that you will only accept cookies that are sent back to the originating server. For example, company X generates a cookie that is sent back to company X. That cookie is permitted. If company Y generates a cookie that is sent to marketing agency Q, that cookie would be rejected. In Explorer, you can set the privacy settings to varying degrees of strictness over what kinds of cookies it will accept. Most other browsers also have a similar set-up offering varying degrees of user control. These options in each type of browser seem to be the best compromise between security and convenience.

Crumbs!

Besides the security concerns, there are other reasons that many users object to them:

• They gather information about you without your permission - This can be resolved by setting your browser to ask you before accepting cookies. Even still, privacy advocates question whether or not this information is truly necessary and why users must go out of their way to force the websites to ask permission.

• They can clog up your memory over time if allowed to accumulate - Well-behaved cookies should come with an expiration date so that they are erased after a certain period of time. Unfortunately, many don't and they begin to pile up. A few bytes here and there quickly gather and can take up valuable space on your system. The solution for this is to clear out your cache². By way of example, again, about how different browsers handle this, Explorer makes a distinction between emptying your cache and deleting your cookies; there is a separate button for deleting cookies in the newer versions of it. Netscape does not make that distinction - clearing the cache will also delete any cookies that have built up.

Cookie Control

The solutions for dealing with cookies depends on what browser you're using and whether or not you choose to download additional software to help you manage them.

Netscape

To delete the cookies currently stored by Netscape (4.7):

• Go to the 'Edit' menu
• Select 'Preferences'
• Under the 'Advanced' heading, click on 'Cache'
• Click on 'Clear Memory Cache' and 'Clear Disk Cache'

To manage your incoming cookies:

• Go to the 'Edit' menu
• Select 'Preferences'
• Click on the 'Advanced' heading
• Under the 'Cookies' section, you have three different options:
  • Accept all
  • Accept only ones that go back to the originating server
  • Accept none
  You can also choose whether or not you want to be warned before accepting a cookie in addition to the security level that you select.

Internet Explorer

To delete the cookies currently stored by IE (6.0):

• Go to 'Tools'
• Select 'Internet Options'
• In the 'General' section, under the 'Temporary Internet Files' section, click on 'Delete Cookies'

In older versions of IE, the cookies are not stored separately from the other temporary files, so clearing the cache will also delete the cookies.

To manage your incoming cookies (IE 6.0):

• Go to 'Tools'
• Select 'Internet Options'
• Click on the 'Privacy' tab
• Slide the bar at the left to change the privacy setting. A description will appear detailing what types of cookies will be accepted and what types will be blocked.
• Click 'Apply' at the bottom right corner of the window, then 'OK'.

Opera

The O4FE Opera File Explorer will let you search for and delete individual cookies. Otherwise:

• Click on the File menu
• Select Preferences
• Click on the Privacy category
• Select your choice from the cookies drop down list:
• Do not accept cookies
• Display received cookies
• Accept only cookies from accepted servers
• Automatically accept all cookies

Other options include:

• Throw away new cookies on exit
• Display warning for illegal domains
• Display warning for illegal path

In conclusion...

Cookies do have their uses, but they also have their abuses. Using cookies sensibly makes your web surfing experience easier and customised to you, but it takes a certain amount of vigilance on the user's part to make sure that they do not overstep their bounds.

Further Reading

• CookieCentral - This provides information on cookies and a list of software available to manage them.

• CookieControl - This site shows you how to manage your cookies without downloading additional software. The cookie control site also helps you sort out the “preference” cookies from the “uninvited” cookies that give information about you and your websurfing habits to advertisers.

• The European Union has a set of recommendations on the use of cookies as part of a comprehensive approach to online security. A bit dry in parts, but very detailed. (For specific references to cookies and how they are used and abused, see pages 16, 41-42, 45, 52, 67, 73, 76, 79-81, 87, and 93.) Requires Acrobat Reader to view.

Cookie Management Software

Some of these programs are completely online and do not require you to download any additional software. Some of them are downloads but are free, others charge a fee.

• Cookie Crusher
• Cookie Jar - This is for Unix machines
• Cookie Manager - Main site is in French but an English version of the site is available
• CookiePal
• Cookie Sweeper - Online tool that allows you to view, sort, and delete cookies. It uses a security certificate to prove that it’s genuine.
• Spyblocker
• Webwasher