When cookies are bad

Cookies as the panacea for all

Cookies are typically used to implement authentication, personalized web sites, user tracking and vote tracking. Most of the time they are intrusive, unnecessary, raise privacy concerns and insecure. Ever wondered why all those ad-servers want to set cookies?

Cookies allow sites to track users accross site. Do you want to be tracked and followed everywhere you go?

Websites can store sensitive data on your system. I've seen websites that store usernames and passwords in cookie files. I wonder how many store credit card info.

When cookies are bad

When are cookies bad?

  1. From a user perspective cookies are bad. Cookies can screw things up. Recently I could no longer access my ASB Bank's website. Logon always failed. I called the helpdesk: “Yes, some problems with obsolete cookies. Could you please delete all the cookies on your system?” I wonder how the typical grandma would react to that! But deleting all the cookies enabled me to logon again. Why do companies use technology that can screw up?
  2. From a paranoid perspective cookies are bad. I browser with the "Ask" setting, so if a site wants to set cookies I get a dialog box if I want to allow that. These days all and sundry websites want to set one. If would help me if I could say that Session cookies are ok, but I want to review all others. Unfortunately I still can't. So browsing new sites is an annoying experience.
  3. From a power user perspective cookies are bad. For example the Rush Limbaugh website uses cookies for authentication. I'm a subscriber to this website. Rush is broadcasting his show when I'm still asleep. But I like to automatically record his show so I can listen to it later in the day.
    However, simply downloading the podcasts is not simple. Because of cookies. Otherwise it would be a simple matter of using wget to download the MP3 files, specifying my user name and password, and be done. Because of cookies I must supply a cookie file to wget. And every week I have to login again to Rush's site to get new cookies. They seem to expire every week or so. If a site uses cookies, automating access to it becomes much harder.
  4. From a programmer perspective cookies are bad. Writing an HTTP client is no longer easy. If a site uses cookies, you need cookie support. You need to be able to set or get cookies. Setting cookies to their proper values so you can access a website can be an arcane task or one that is next to impossible. Usually you need to fire up a browser, get the cookies right, and use such a cookie file in your program, see the previous paragraphs. Claude Montpetit put the programmer's perspective perfectly when he said:

    Well, I'm lazy ;) [Ed: a good habit for a programmer] I've written here and there little simple clients that use Java URLConnection and send auth headers in the request. If I must add support for storing/managing cookies in there, these client apps will not be as simple anymore and access to the services will not seem as trivial.

  5. From a REST perspective cookies are bad. Claude Montpetit again:

    Writing simple clients that interact with a REST server should not require the client to manage cookies.

  6. From an architectural perspective cookies are bad. Jon Hanna has the final word on the subject:

    Ultimately it is a matter of it no longer being a matter of URIs identifying resources, authentication headers determining access rights, content headers determining type of representation and other headers determining what processing should be done in a well-specified manner.

    It becomes a matter of URIs partially identifying resources, authentication headers partially determining access rights content headers partially determining type of representation and other headers partially determining what processing should be done along with cookies doing the Gods know what.

Lazy registration

There is one use case for which cookies seem to be necessary and that is the lazy registration case. If the user is willing to store sensitive tracking data on his system, cookies are the only way to support this use case.

Too bad I've yet to encounter the website that actually asks me if they are allowed to store some data on my computer that allows them, and who knows else, to track me down, wherever I go.


It seems cookies might also be needed for federated logins??