How to use cookies
Web standards & guidelines How to use cookies Explanation
Explanation
- When a web server receives a request from a browser for an HTML page or other document, it may include a cookie along with the returned content.
- A cookie is a token that the web browser stores on disk in the form of a small text file. Depending on the user's browser preferences settings, a browser may automatically store cookies without notifying the user that they have arrived, may ask users whether to accept each individual cookie that arrives, or automatically reject all cookies.
- Cookies are stored in a text file whose name and location depends upon the user's operating system and browser. These can be viewed and deleted by the user. For example:
- Microsoft's Internet Explorer stores each cookie as a separate file under a Windows sub-directory,
- Netscape stores all cookies in a single cookies.txt file, and
- Opera stores them in a single cookies.data file.
- A cookie contains three parts:
- The web server DNS domain name(s) to which the cookie should be sent. The cookie will be included as a part of any future requests for HTML pages or other documents from web server(s) with the specified DNS domain name(s).
- An expiry date, after which the cookie will be discarded by the web browser, and will no longer be included in requests to web servers.
- Arbitrary text set by the web server when the cookie was first sent to the browser.
- Note that the expiry date can be set to end of session in which case the cookie will be discarded when the browser application program is ended.
- By setting the arbitrary text portion of a cookie to something different in every cookie it issues, and setting the domain name section to refer to itself, a web server is then able to recognise individual users' sessions (sequences of requests from the same user). By setting an expiry date that is in the distant future, a web server is additionally able to recognise users that return to the site on subsequent days, weeks or whatever (repeat visitors). Cookies set to expire beyond the end of the current browser session are usually referred to as persistent.
- Cookies do not contain executable code and therefore do not provide a potential point of entry into users' computers for viruses, Trojan horses or other malicious software.
- Establishing user sessions at the server in this way also enable the development of new classes of web-based applications ranging from multi-page forms to websites that can record user preferences and customise the content they deliver according to users expressed preferences.
- A practical example is Amazon.com, the online bookseller. They use cookies for site personalisation, to aid established customers by informing them of offers and discounts in areas they have previously used. For example the personalised message when your log in:
'Hello John Doe, we have recommendations for you in books and video'
Hyperlinks then take you to a personalised page that highlight products based on your personal profile.
User privacy implications
- Any proposal to implement a website cookie regime inevitably and properly raises concerns about user privacy. To clarify and assess user privacy implications it is useful to categorise cookies into several basic types as follows:
- Anonymous session tracker - a cookie used to track user sessions. It contains no personal information about the user, nor does the website elicit or store any information from the users. Appropriately used this is a valuable tool in user analysis and it also enables the provision of features such as multi-page forms. This cookie may be made persistent in order to detect repeat visitors and returning users respectively.
- Session tracker - this is a cookie that the web server uses to relate page and other content requests to user preferences stored on the server. The cookie is used to establish the session and the web server ties the session to the user profile that it has stored. The use of the cookie does not in itself add any additional privacy considerations to those that arise as a consequence of eliciting and storing data that may be considered to be private. Note, however, that it is not acceptable for a browser's presentation of a cookie to be interpreted by the web server as adequate authentication for access to private data held on a web server or back-end database. Additional authentication and data encryption techniques must be used for application involving the transfer of private information over the Internet. This category of cookie may or may not be persistent. For example, you may belong to an online group that issues a session cookie each time you log into it. If you select the login automatically option it will then send you a persistent.
- Cookies containing private data - cookie regimes that involve storing private or potentially private data, such as names, addresses, credit card numbers, within the cookie itself are sometimes mooted. This approach should be avoided in Government websites.
- It is important that the user is always made aware if your website uses cookies, what data they contain and what they are used for. This information should be communicated on every entry page to a service that uses cookies. Most browsers let the user specify whether to allow cookies - always, never or case-by-case, but you could consider using a more direct approach for consent: For example:
- 'opt-in arrangement' whereby express consent is communicated to the user, eg, 'If you are happy for us to use cookies and provide you with a personalised service use the OK button'.
- 'opt-out arrangement' - a less customer friendly approach which may say, eg, 'If you proceed, then we assume that you are happy with how this service works'.
- A website that uses cookies should also work if users decline to accept them. Your site should perform with and without the use of cookies. If your site offers a degraded service to users who do not accept cookies then they should be informed that they would have to put up with a less sophisticated service.
Previous Page
