[Ham-Computers] RE: More on cookies in IE6

Hsu, Aaron (NBC Universal) aaron.hsu at nbcuni.com
Fri Jul 1 14:32:13 EDT 2005 

Hi John (et al),

Don't fret about not fully understanding cookies and cookie handling.  Most
people don't know much about browser cookies except what they hear/read in
the news - and that's generally that "cookies are bad".  Cookies were never
meant to be bad; they are just a tool available for use by webmasters.  It's
just that at some point in time, someone realized that money could be made
by setting a cookie and tracking that web-surfer's movements.  There's
nothing bad about the cookie itself - it's just how the cookie is used
that's worrying.

Realize that cookies are also used for legimate purposes.  Many on-line
stores use cookies as your shopping cart.  Some sites use a cookie to store
your UserID so you don't have to type it in each time you visit (ah, that's
how they automatically know my name/userid).  Some banking websites use a
cookie to remember the state you bank in rather than prompting you each time
you visit.  Cookies can also assist "partner" sites know where a surfer came
from (yes, this is a form of tracking, but there was no malicious intent).

OK, back to the question at hand.  Some quick definitions:

First-party cookie:  A cookie set by the website you're visiting.  For
example, if you're visiting asdf.com and the asdf.com server set a cookie,
this is considered a 1st party cookie

Third-party cookie:  A cookie set by a different website/server than than
the one you're visiting.  for example, you're visiting asdf.com and a cookie
is set by qwerty.com.  The cookie actually came from qwerty.com through some
kind of link on the asdf.com website (such as an advertsing banner).

Allow:  Allow a cookie to be set

Block:  Don't allow a cookie to be set

Prompt:  When is cookie is received, ask the user if it should be allowed or
blocked.  Note: some websites use dozens of cookies and you'll get a prompt
for each one.  Worse, some will continually try to set the cookie until the
browser accepts it.  Highly annoying, but useful if you want to allow a
permanent cookie to be set, but the website is using multiple cookies.
Allows you to be "selective" in which cookie is set.

Always allow session cookies:  Cookies have an expiration that's set by the
cookie's originator.  Enabling this option allows cookies that expire when
you exit the browser.  When this option is set, it generally overrides the
first and third party rules.  Therefore, even if you have the options set to
block all cookies, the browser *will* accept a session based cookie.  On
many browsers, this option automatically makes all cookies session based by
modifying the expiration date when the cookie is received.  Generally,
cookies that were previously set will not be modified if you enable this
setting after receiving the cookie.  So if you're enabling this for the
first time, you'll also want to clear out any existing cookies you don't
want.

In IE (for the times I use it), I have the cookie options set to Override,
1st: Prompt, 3rd: Block, and allow session cookies.  Again, the allow
session overrides 1st and 3rd, so it really doesn't matter how you set 1st
and 3rd at this point.  But, just in case some sneaky way is discovered to
bypass session cookies, you might want to set 1st and 3rd to block or prompt
rather than allow.

In Mozilla and Firefox, I set cookies to expire in the current session.

Once in a while, I'll take a look at the cookie cache to see if any cookies
made their way in.  Sometimes, I've allowed a permanent cookie for
convenience, but I haven't deleted it yet and this is the time to clean-up.

And, once again, I've taken up enough bandwidth.  I hope this clears things
up at least a bit (if not making things more confusing <g>).  Please let me
know if anyone needs more details.

Oh, and to answer the question as to what can/can't be done if a cookie is
set or not set.  It depends on the website.  If a website *requires* a
cookie, then you won't be able to surf that site until a cookie is set -
this is where session-based cookies come in handy.  Same with on-line
shopping - as mentioned earlier, many websites use cookies as part of your
"shopping cart".  If you don't allow cookies, then the shopping cart system
doesn't work.  Once again, session-based cookie handling is the answer.

May I also suggest that you switch to Firefox?  Much safer than IE in any
incarnation.  And use Thunderbird rather than Outlook Express for e-mail.
Firefox/Thunderbird are not without their own issues, but they're not the
target of most of the hacks out there like IE/OLE are.

73,

  - Aaron, NN6O

More information about the Ham-Computers mailing list