When cookies are bad
Cookies as the panacea for all
Cookies are typically used to implement authentication,
personalized web sites, user tracking and vote tracking. Most of the
time they are intrusive, unnecessary, raise privacy concerns and
insecure. Ever wondered why all those ad-servers want to set
Cookies allow sites to track users accross site. Do you want to be
tracked and followed everywhere you go?
Websites can store sensitive data on your system. I've seen
websites that store usernames and passwords in cookie files. I wonder
how many store credit card info.
When cookies are bad
When are cookies bad?
- From a user perspective cookies are bad. Cookies can screw things
up. Recently I could no longer access my ASB Bank's website. Logon always
failed. I called the helpdesk: “Yes, some problems with
obsolete cookies. Could you please delete all the cookies on your
system?” I wonder how the typical grandma would react to that!
But deleting all the cookies enabled me to logon again. Why do
companies use technology that can screw up?
- From a paranoid perspective cookies are bad. I browser with the
"Ask" setting, so if a site wants to set cookies I get a dialog box if
I want to allow that. These days all and sundry websites want to set
one. If would help me if I could say that Session cookies are ok, but
I want to review all others. Unfortunately I still can't. So browsing
new sites is an annoying experience.
- From a power user perspective cookies are bad. For example the Rush Limbaugh website uses
cookies for authentication. I'm a subscriber to this website. Rush is
broadcasting his show when I'm still asleep. But I like to
automatically record his show so I can listen to it later in the
However, simply downloading the podcasts is not simple. Because of
cookies. Otherwise it would be a simple matter of using wget to download the MP3
files, specifying my user name and password, and be done. Because of
cookies I must supply a cookie file to wget. And every week I have to
login again to Rush's site to get new cookies. They seem to expire
becomes much harder.
- From a programmer perspective cookies are bad. Writing an HTTP
support. You need to be able to set or get cookies. Setting cookies to
their proper values so you can access a website can be an arcane task
or one that is next to impossible. Usually you need to fire up a
browser, get the cookies right, and use such a cookie file in your
program, see the previous paragraphs. Claude Montpetit put the
programmer's perspective perfectly when he said:
Well, I'm lazy ;) [Ed: a good habit for a programmer] I've written
here and there little simple clients that use Java URLConnection and
send auth headers in the request. If I must add support for
storing/managing cookies in there, these client apps will not be as
simple anymore and access to the services will not seem as trivial.
- From a REST
perspective cookies are bad. Claude
Writing simple clients that interact with a REST server
should not require the client to manage cookies.
- From an architectural perspective cookies are bad. Jon
Hanna has the final word on the subject:
Ultimately it is a matter of it no longer being a matter of URIs
identifying resources, authentication headers determining access rights,
content headers determining type of representation and other headers
determining what processing should be done in a well-specified manner.
It becomes a matter of URIs partially identifying resources,
authentication headers partially determining access rights content
headers partially determining type of representation and other headers
partially determining what processing should be done along with cookies
doing the Gods know what.
There is one use case for which cookies seem to be necessary and
that is the lazy
registration case. If the user is willing to store sensitive
tracking data on his system, cookies are the only way to support this
Too bad I've yet to encounter the website that actually asks me if
they are allowed to store some data on my computer that allows them,
and who knows else, to track me down, wherever I go.
It seems cookies might also be needed for federated logins??