Cookies aren't viruses or any other kind of malware. Their bad reputation in some circles has come about because they can be used for tracking website visits - and this is perceived to be bad per se in some circles.
When you browse a web page, you are using a protocol called HTTP to get pages from the web server. HTTP is a 'stateless' protocol in that it makes a connection to the web server, grabs a page, picture or whatever and then drops the connection and forgets that you ever existed. This is very scalable but causes severe limitations on websites that involve commercial transactions. Cookies are an attempt to bypass this limitation so that the web server can remember who you are between pages.
A cookie is a small text file, or part of a text file, that is saved to your hard disk.
On Windows computers, cookies are kept in the folder C:\Documents and Settings\<user name>\Cookies. They can be inspected with a text editor like Notepad.
On Mac OS X, cookies are kept in a file called cookies.plist, an XML file that is under <user name>, library, cookies. You can open it in TextEdit.
There are two types: session and persistent.
The session cookies last just as long as you keep your browser open and maybe another 20-30 minutes. Persistent cookies can last forever - though this practice is now deprecated in favour of much shorter times.
The website designer can set the expiry date of a persistent cookie. If you visit a website within the expiry period, it's likely that the cookie expiry will be refreshed for another week, month, 90 days - whatever was designed into the website.
It's always going to be pretty minimal because of a nominal 4K limitation in file size built into the browser. Most are less than 1K.
Below are a couple of BBC cookies taken off a Mac OS X computer. One of these is for the media player selection, the other for a particular Radio 4 programme. They are in XML, but reasonably easy to decode being mostly made up of key and string pairs. Note that an ellipsis has been added into the long values to make them shorter.
<key>Created</key>
<real>160347150.90862599</real>
<key>Domain</key>
<string>.bbc.co.uk</string>
<key>Expires</key>
<date>2007-01-30T20:52:31Z</date>
<key>Name</key>
<string>BBCMediaSelector</string>
<key>Path</key>
<string>/</string>
<key>Value</key>
<string>m%3Arm%26b ... 26st%3A</string>
<key>Created</key>
<real>161815201.16095799</real>
<key>Domain</key>
<string>www.bbc.co.uk</string>
<key>Expires</key>
<date>2006-02-21T20:40:01Z</date>
<key>Name</key>
<string>rmRpradio4/chainreaction</string>
<key>Path</key>
<string>/radio/aod/</string>
<key>Value</key>
<string>/radio/aod/shows/ ... Reaction</string>
By having these cookies, the BBC don't have to ask you your preferences again when you visit their website.
In other cases, the cookie contains an unique (effectively random) number that is then used to pick up your details from the website's database. Once again, this is then used to personalise the website according to the selections that you've made eg your language preference on a multilingual website.
Unless you have an ad blocker in place, you will see all kinds of ads as you browse the Internet. Frequently these are provided by agencies who also like to put cookies in your browser so they can tell which sites you've been to and what your preferences might be - so they can load relevant advertising. There again, you might regard this as infringement of your privacy.
Most cookies are not only inoffensive, they make browsing the web easier, but if it's a concern, you can limit them. If you do block cookies, then the website designer has to track you by other means if the website is going to work - ie you can turn off cookies, but you won't necessarily be turning off tracking.
You can control cookies within the privacy settings of your web browser on a site-by-site basis even if you've made the restrictions quite tight. But don't think that by going 'cookieless' you have given yourself complete protection.
Some websites throw a hissy fit when you block their cookies and simply won't work. These days it is possible for the designer - if conversant with the correct technologies - to create a website that doesn't use cookies but passes all the information in the address bar after the website page name. It takes the form: www.caz.ltd.uk/?st=2. The bit after the question mark is called the query string and can pass information between pages. On some sites this query string gets amazingly long, but there is a size limit which they can't exceed.
Now here's the danger: in an ecommerce site, the query string would contain all the information that the website needs including your security 'ticket' that was generated when you logged in. This security ticket says that you are who you say you are and will allow you to connect to your shopping basket.
If you start the checkout process but then revert to the catalogue for some reason; decide you have a query which you then email to the website sales desk and, being helpful, attach the URL of the web page you're on, complete with query string, think about what you've done. You've just mailed your completely valid authentication credentials to someone who, when they click on the link you sent, will automatically be logged in with your credentials and therefore have access to your shopping basket.
It's unlikely that the website sales office would mess around with your basket, but since you send your email messages in plain text, someone listening in might.
Our reading is that even if you block most cookies, allow cookies on a site-by-site basis if you're going shopping. Usually you can block third-party (mostly advertisers) cookies anyway in a global setting, so that may be enough for your privacy requirements.
There's little doubt that cookies are the simplest and most convenient way of retaining the visitor information between pages. However, right or wrong, a good many people are now blocking cookies so you should consider provision for cookieless operation.
If you are running an affiliate scheme, then you have to be able to track visitors because your partners will get very upset if you don't. In this case, you'll have to go cookieless for part of it.
There are mechanisms for auto-detection of cookie capability. They do slow the process down on the first visit, but this shouldn't affect an SME website greatly because you're not doing thousands of hits per hour. If you have to get a new web server because you're doing so much business, you can probably deal with that.
Do not use cookieless operation on high security sites eg banking or investments. It's simply not secure enough.
Not all browsers accept cookies anyway, particularly on mobile devices. You may be obliged to implement cookieless operations for these markets.
Whereas people have heard about cookies, they are much less familiar with Persistent Identification Elements. So what are they?
Built into Macromedia Flash multimedia player that is installed on something like 98% of PCs and Macs is a facility called local shared objects. Apart from their 'normal' uses, marketeers have discovered that these local shared objects can be used like cookies to store information about where you've been.
Although the marketeers protest that all they are trying to do is deliver better personalisation and 'web experience', the use of PIE does seem to fly in the face of the consumer's desire for privacy. Most people don't take kindly to being unwittingly tracked, so whatever the motive, once people know they are being tailed they aim to put a stop to it.
There are legitimate uses of 'local shared objects', so you may want to exercise some discretion as you make changes to your Flash settings.
You can adjust your privacy settings by going to the Global Privacy Settings Panel which is part of the Flash Player Help. You can adjust the space individual websites can use on your computer and, on a separate panel, the disk space for websites that you haven't yet visited.
Do a Google search for Persistent Identification Elements.
2010 © Caz Limited