KISS Principle: Cookie Enabled Detection

[imvain2]

First, let me say I know this thread is going to get a lot of people stating cookies are evil and the cause of problems, blah blah blah.

The real facts about cookies, is that 95% of them aren't bad. If you have spyware/adware that installs cookies, this isn't a cookie issue its a malware issue.

The term tracking cookie stirs up all this negative thinking, however unless you have malware installed, cookies CAN'T track what you haven't provided to the website in the first place. The only real time a cookies can be considered tracking without you providing info is when your webbrowser sends its referring url to the website generating the cookie, so in fact its your browser who is the metaphorical judas in this situation.

In other words, cookies aren't as bad as people might want you to believe.

-================
Now onto my point of this thread.
-================

I'm a firm believer of the K.I.S.S principle. Keep it simple stupid.

In the case determining if a browser has cookies enabled, I have seen many modules/components and so on to determine if the browser has cookies enabled. I have seen where these don't work across platform and across browser in some cases.

My solution to this is a simple solution that will work across platforms, across browsers and even across programming languages. Below is the pseudo code to my solution. My solution is to set a test cookie with some value, then check to see if the test cookie has the value you set, if not, the cookies have been disabled if it does have the value then the cookies are enabled.

set cookie test = 1

if test cookie = 1 then
Cookies enabled
else
Cookies disabled;write message to the screen informing the user that the website's functionality requires cookies to be enabled.
end if

This will also work for sessions.


Ryan

[ArthurKay]

I would agree that the vast majority of cookies are not evil. That being said, I also think too many sites use them when they aren't necessary. As a result, many people misunderstand the use of cookies.

On sites I have created, I try to reserve using cookies only for password-protected areas of the site. Even then, I have a message stating that I am placing a cookie on their machine for that specific purpose. I also make the cookie expire immediately when the browser closes.

While storing other data in the cookie may be useful (or time-saving), I try to steer clear of them as much as I can.

[DaveSawers]

Your pseudocode is the standard method for checking if cookies are enabled. You can do it in Javascript without a refresh (if Javascript is enabled) or by setting the cookie using PHP or similar, refreshing the page and checking for its existence.

[wige]

Only problem with doing an automatic refresh is that a search engine may see the refresh and red flag the page. My site uses the http referrer. If the http referrer does not match my domain name, it tries to set the cookie, because this is the first page on my site the user has visited. If the http referrer does match my domain name, it checks the cookie and shows an error if it is not set.

As for security: the idea that cookies reduce security is not true, so long as nothing is stored in the cookie other than a temporary id code. If all that is in the cookie is a session id, cookies are more secure than using session ids appended to URLs, where they can be accidentally copied into links and crawled by search engines, exposing the server to exploits. Properly implemented, cookies might reduce privacy, but they do enhance security compared to other active state emulation methods.

[southplatte]

Quote:

Originally Posted by imvain2

The term tracking cookie stirs up all this negative thinking, however unless you have malware installed, cookies CAN'T track what you haven't provided to the website in the first place. The only real time a cookies can be considered tracking without you providing info is when your webbrowser sends its referring url to the website generating the cookie, so in fact its your browser who is the metaphorical judas in this situation.

Ryan

I agree with the puedocode provided as a simple way to check for cookies and/or sessions.

However for understanding of a tracking cooking, you only need to look at major advertising networks who frequently use code that loads images they host - and many times those are loaded from a script - you know the javascript you get to paste into your web page to show the affiliate banner?

Okay, in the terms of a large banner network that has ads on numerous web sites, they now can validate their cookie since it was placed via a call to their hosted script on their domain - they then can use this to "track" the sites you see their ads on, which ads you click on and which site those ads were on - thus the term tracking cookie.

Since they are loaded via javascript or other script, as is often the case, it is loaded from their domain, not the domain you may be presently visiting, thus avoiding the security of a cookie only being able to be accessed via the originating setting domain - since it is being remotely called via the script.

No malware/adware necessary to accomplish such a deed either.

At least that is how I understand and interpret it. And in that case I don't care if it is a White Chocolate Macadamia Nut cookie, it's bad.

Cookies for login/secure portions of a site or to remember user preferences are fine and dandy and serve a valid purpose. Cookies placed by third parties via loading remote scripts are just bad and wrong as they can be validated across domains and have no valid purpose except for profiling.

[deepsand]

Quote:

Originally Posted by southplatte

<snip>

Cookies for login/secure portions of a site or to remember user preferences are fine and dandy and serve a valid purpose. Cookies placed by third parties via loading remote scripts are just bad and wrong as they can be validated across domains and have no valid purpose except for profiling.

Are you saying that all 3rd-party cookies & scripts are evil? Even though they are the backbone of analytics?

Bear in mind that cookies were intentionally designed to preserve state-fullness in a protocol that is by nature stateless.

[lanthus]

Microsoft's MSIE-x recommendation for replacing cookies, for large data quantities, has been their Persistence Behaviors: saveSnapshot, saveHistory, saveFavorite, userData ... which cover various angles of re-visitations depending on where the page is to be saved ...

But presently these features are confused: -It seems- they only intend you to use one Persistence Behavior at a time, as there is only one META tag "name=save' allowed by MSIE [empirical evidence: reordering messes and they don't group], and multiple Classes aren't chaining-through [empirical evidence], and their concept is boggled when individual objects fire 'onsave' but you really want to save the whole bunch, conceptually ... and they're not all straigthforward-enable-its ... There are various space limitations for our 400KB-editers.

(And then there are persistent MSIE-bugs dropping HTML-end-tags, and so changing the format of the restored page....)

PS. It also invokes the newest MSIE-7 crash modes.

Ray.

[schachin]

Along these lines .. what do you do to make cookies play well with spiders? Isn't this part of what makes cookies a poor choice at times?

Thanks!

[southplatte]

Quote:

Originally Posted by deepsand

Are you saying that all 3rd-party cookies & scripts are evil? Even though they are the backbone of analytics?

Bear in mind that cookies were intentionally designed to preserve state-fullness in a protocol that is by nature stateless.

You are correct in that cookies, as well as sessions, were designed to preserve state-fullness in a stateless http protocol web.

And I did not say all third-party cookies are evil, however if the user is not notified of the "third-party" cookie use, could that be considered errant on the web site owner's part if it is not disclosed within the privacy policy or terms of use for the site? I am thinking that it could be construed that way.

To further the point, I did not point out analytics for a reason, but did specifically point out the advertising networks which are more notorious for tracking a computer accross multiple sites, while analytics generally only track the computer in terms of the referring site (if any), pages viewed and exit page type of information. There is no reason that Google (or any other analytic package) would track a computer accross multiple sites like the advertising networks do because that is not the purpose of analytics, and further opens up a whole new can if as a web site owner I can track analytics for any given user across multiple domains. Thus analytics and advertising tracking are two completely different monsters, each with its own inner beast.

I also never implied that third-party scripts are evil at all, however I will offer that using them sometimes leads a web developer (and thus the web site owner if it was developed for a client) down a potentially dangerous road if the third-party script uses cookies, sessions or other technology to maintain statefulness that can lead to potential use of idnetifying information and is hosted on a different domain, uses a different privacy policy or terms of use policy. If the web developer implementing the third-party script has not done their homework, there could be serious consequences from informed consumers that can claim they were never notified they were subject to a third-party's privacy policy or terms of use while on said site since most privacy policies and terms of use will talk about outbound links subjecting the visitor to the third-party's policies, but rarely have I ever seen then state that they are subject to the third-party's policies while still on the originating web site/domain.

[deepsand]

Quote:

Originally Posted by southplatte

You are correct in that cookies, as well as sessions, were designed to preserve state-fullness in a stateless http protocol web.

And I did not say all third-party cookies are evil, however if the user is not notified of the "third-party" cookie use, could that be considered errant on the web site owner's part if it is not disclosed within the privacy policy or terms of use for the site? I am thinking that it could be construed that way.

Whether or not a user is notified of the attempted use of a cookie, be it 1st or 3rd-party, will depend on that user's browser and/or BHO, and the settings that he has selected. In my experience, most users have neither the requisite knowledge, time & patience to adequately screen cookies, and go to one extreme or the other, either allowing or blocking all cookies. And, I've yet to see a user even look for privacy policy, let alone make decision based on such.

Furthermore, a developer has no control over the existence and/or content of a 3rd-party privacy statement; in fact, many well established & trusted sites fail in this regard. Therefore, the best a developer or site administrator can do is to carefully vet those 3rd-party sites whose cookies and/or scripts may be invoked by users of his site.

Quote:

Originally Posted by southplatte

To further the point, I did not point out analytics for a reason, but did specifically point out the advertising networks which are more notorious for tracking a computer across multiple sites, while analytics generally only track the computer in terms of the referring site (if any), pages viewed and exit page type of information. There is no reason that Google (or any other analytic package) would track a computer across multiple sites like the advertising networks do because that is not the purpose of analytics, and further opens up a whole new can if as a web site owner I can track analytics for any given user across multiple domains. Thus analytics and advertising tracking are two completely different monsters, each with its own inner beast.

Actually, analytics can & does "track across multiple sites." The difference between analytics & advertising lies solely in the intent with regards to the use of the information collected. The former seeks to determine group behavior; the latter, individual behavior. Cookies & scripts can, like any tool, be use for both good & bad; the tool, though, is wholly agnostic re. the intent of the user.

Quote:

Originally Posted by southplatte

I also never implied that third-party scripts are evil at all, however I will offer that using them sometimes leads a web developer (and thus the web site owner if it was developed for a client) down a potentially dangerous road if the third-party script uses cookies, sessions or other technology to maintain statefulness that can lead to potential use of identifying information and is hosted on a different domain, uses a different privacy policy or terms of use policy. If the web developer implementing the third-party script has not done their homework, there could be serious consequences from informed consumers that can claim they were never notified they were subject to a third-party's privacy policy or terms of use while on said site since most privacy policies and terms of use will talk about outbound links subjecting the visitor to the third-party's policies, but rarely have I ever seen then state that they are subject to the third-party's policies while still on the originating web site/domain.

What a developer is & is not able to do re. the privacy statements of 3rd-parties is, in part at least, dependent on who those parties are.

For example, within the realm of PPC advertising & conversion tracking, Yahoo/Overture & Google take decidedly different approaches. The former provides the advertiser with the appropriate text & stipulates that such must be provided on the advertiser's site. The latter provides for no up-front notification, but rather includes, on ones conversion page, a link to their policy statement.

When all is said, the best that an honest site can do is to exercise diligence, and try to educate one's visitors.

PS - Does this site's "Multi-Quote This Message" function work? If so, how is it used? For me, it seems to be inactive.

[wige]

Quote:

Originally Posted by deepsand

The latter provides for no up-front notification, but rather includes, on ones conversion page, a link to their policy statement.

Actually, Google Analytics embeds their privacy policy (or did at the time I used them on my site) in the javascript that you embed. It is in simplified P3P format. IE 6 (not sure about 7) would block third party cookies by default unless they had an embedded P3P file in the server's response headers.

Quote:

Originally Posted by deepsand

PS - Does this site's "Multi-Quote This Message" function work? If so, how is it used? For me, it seems to be inactive.

Ditto for me. About one in five refreshes when I accessed the page would not display the quote.

[southplatte]

Quote:

Originally Posted by deepsand

Whether or not a user is notified of the attempted use of a cookie, be it 1st or 3rd-party, will depend on that user's browser and/or BHO, and the settings that he has selected. In my experience, most users have neither the requisite knowledge, time & patience to adequately screen cookies, and go to one extreme or the other, either allowing or blocking all cookies. And, I've yet to see a user even look for privacy policy, let alone make decision based on such.

Well, if a user has their browser securty setup for cookie control - you are right that is the only time they are notified of cookies. However, a good policy will let them know if cookies are used and whether or not they potentially can be used to identify the visitor - such as the case in persitent login cookies. Whether or not the visitor ever reads is not the obligation of the web site owner/developer as it was made public and posted on the site stating the policies - it's called idemnification - the site has done in good faith what it needs to as required by law and (hopefully) following good business practices to notify the users of this information.

And your are correct, the developer has no control over the existence and/or content of a 3rd party privacy statement, or policy - but as you point out and as I believe I had - they must choose the 3rd party wisely and know and understand 'fully' what that 3rd party script they embed in their site actually does, the data it collects, and how that data is used. If they do not, I still tell you, the developer or site owner is going to be opened up to all kinds of potentially nastiness from their visitor base in the form of ID theft cases because they used a 3rd party script that may or may not have had access to personally identifiable information, been lacking in security, or otherwise misuse data collected, whether that data is collected on the site or via the 3rd party embedded script become irrelevant.

We have inquiries on our privacy policy of our main web site, of course when you are recieving nearly 50,000 unique visitors, with nearly half-million page views each month, your user base is comprised of those who do actually take the time to read and find out information. You are correct in the fact that a developer has no control over the 3rd party policies, however when using these scripts that are hosted by said 3rd party, he/she is under the moral obligation to notify users that they are subjected to the 3rd party policy - which was my intended point to bring accross.

Quote:

Originally Posted by deepsand

Actually, analytics can & does "track across multiple sites." The difference between analytics & advertising lies solely in the intent with regards to the use of the information collected. The former seeks to determine group behavior; the latter, individual behavior. Cookies & scripts can, like any tool, be use for both good & bad; the tool, though, is wholly agnostic re. the intent of the user.

The tool is either good or bad. I offer that an analytic tool that is capable of tracking multiple domains, that are owned my multiple entities is "not" providing anything better than an advertising that does the same and is used only for profiling, which we all know is not something that the majority of web users are generally comfortable with - otherwise there would not be so many products out there that block the ad networks ads - not only is it an annoyance to the user, but it tracks their footsteps as well.

To further this, I have yet to see a standard business intelligence suite, analytic package, web stats package that will allow a developer or site owner to track information for multiple domains, unless their tracking/analytic code has been used on multiple domains, which means the multiple domains are probably owned by the same entity (developer or site/domain owner), or they were hacked to have the tracking code inserted in. The only exception to this that I can muster would be something like the Neilson or Gartner research that asks the sites to install their analytic/tracking code or the site owner volunteers to install it, and then yes, they can track that user across mutliple domains.

As far as analytics being used for group data, and advertising for individuals as you offer - I will counter and play with that point a bit. I can track individual users on any one of the many sites I have developed over the years and tell you that analytics can track individual as well as group aggregated information.

Advertising networks do the same - that is why the ad networks know how many times IP 192.168.1.1 in Chicago, Il has to see the latest Gixadget ad before a purchase is made, and they can also tell you that the same ad is responsible for 500 purchase from 12 different states, 3 different time zones, and what IP was used from which ISP. They can also tell you the time expanse between the first viewing of the ad to the purchase on an individual and group aggregated basis - just as analytics can do. The advertising networks have their own analytics, which is commonly called "performance matrix" or something similar that tells how the ad is doing, etc. Analytics for a web site, is just that, and is not spread over mutliple domains, unless the company owns multiple domains. Advertising and Ad analytics if you want to call it that rather than "performance matrix" does go over multiple sites - as an advertiser buyer I can buy ads on any one of a half billion pages that sell or load ads - and I can track each one of those ads on those sites both individually and aggregated - web analytics does not work the way advertising analytics does and that is the key difference - the ability of the ads to be shown on hundreds of different sites, and track visitors accross those sites.

A very basic example: If you see an ad on say, MSN.com and it is from a particular ad network, then you see the same ad (or even a different ad) on say CNN.com, but they were both served from the same ad network the ad network, and thus the individual advertising now knows what two ads you have seen, on which sites you seen them, if you clicked on them or not, if you made a purchase after clicking on them or not, as well as other information the ad network feels necessary to track about your web visit to that site.

If you come to my site, I will know all the pages you view, where you came from and the page you exited my site on - however I will know nothing of your web visit to any other site, unless it is a site that I have my analytic code or software running on.

That is the key difference in cookies being set by a third party advertising network - my site is domain.com, they are ad-domain.com the cookie is set remotely for their domain, not mine, thus any other site with their code embedded is performing the same method - allowing a remote script to generate usage information accross multiple domains, unknown to the web visitor. If a visitor loads my page, and gets a cookie from ad-domain.com and then loads your page with the same script the ad network is going to now know that visitor went from me, to you and what the calling page was, etc, etc. However, do you and I know what was done by that visitor on each other's web site? No.

//to the original intent of my original repsponse

Ultimately my point was to bring to light the erroneous claim that the original poster brought up - that a cookie can't track what the user has not provided to the web site is not true. The fact that he claims the browser sending the refering URL is the browsers fault and any tracking that is done via cookie is a direct result of malware/spyware is also wrong.

I can write a simple script that will assign a random hash code and write it to a cookie without the user doing anything but loading my home page. I can then read that information later, write more information and more cookies based upon this. I can place any type of information I want in this cookie and manipulate it anyway I want or see fit. I think a nice tracking code will work great in this cookie, a code that is made random, but is simultaneous written to the cookie and to my database. The user never provided me with anything at all at this point, maybe not even a refering URL.

The nice thing is, my script resides on my server and is simply called by the user placing a small snippet of code in their web site. I can now place my hash code on any computer that visits any site that has my snippet embedded in their web site. The really nice thing about this is, since my script is being called directly at my domain, I can write and read cookies all day long no matter what the domain of the actual site trully is. Now, I can grab the URL of the page that has my snippet embedded in it, match it to the code that is in the cookie I just wrote, write it to a table in my database and never let the user know this. Then, when the user visits another site that has my snippet of code, I first check for the cookie, and find that it exists, then I match the hash code from the cookie to my database and then I add the url of the page that has my snippet of code embedded in it to my database. I know now of two sites the same user visited, and they still have not provided my with anything, not even their browser with a referring URL because my script automatically retrieves the URL that it is embedded in.

The ad networks do this everyday, all day and effectively track users without user input, without spyware, malware or adware being downloaded, installed or executed on the client computer. That is why tracking cookies have a bad rap, that is why so many products exist to block ads (yes they are annoying) but the privacy and tracking ability is frightening for many web users.