Net Marketers Worried as Cookies Lose Effectiveness

Saint Aardvark writes "The Globe and Mail reports that Internet marketers are worried about the decreasing persistence of cookies. Almost 40% of surfers delete them on a monthly basis, says Jupiter Research -- a fact one marketers attributes to incorrect associations with spyware and privacy invasion. United Virtualities' Flash-based tracking system is mentioned as a possible substitute...though they don't mention the Firefox plugin that removes them, or talk in any meaningful way about why people might want cookies gone. Still, the article is a good overview of life from the marketer's perspective."

The other side of things.

[XorNand (517466)]

Going to play the devil's advocate here, because I know how most of the rest of you feel:

I used to be the web architect for a .com a few years ago. I created a custom metrics program that intergrated into into our (also custom) ecommerce application. To track users, I gave them a single, persistant cookie that contained only a GUID. I used this information to determine our converstion ratio (number of visitors to buyers), figure out the top paths through the site, determine percentage of traffic that was return visitors, etc.

All this stuff was entirely anonymous unless they purchased something from us. But, even then their site history was really only incidently linked to their contact info because we never correlated the data together. Why would I? Knowing that "John Smith" visited our site 3 times a week isn't really any more insightful that knowing that "User #5233258" visited us 3 times a week. The data was only useful in aggregate. For example, knowing that the last page 20% of people visited was our contact page, yet only 10% of those people actually submitted the form would make me reevaluate that page. Maybe the contact form wasn't very user friendly? So, I'd tweak it and then recompare the metrics.

The whole point of my tracking was to better serve our visitors and eventual customers. I wanted to make it easier for them to do what they came to our site to do. Or it would help us target our advertising for effectively. If a lot of people clicking through from a banner ad we had on Site A tended to buy Widget B, we'd decide to modify the banner ad to specifically highlight Widget B. Maybe my attitude is different than most, but I can't be unique. I never looked down upon our visitors, feeling that I was hearding cattle together to be slaughtered, or at least ripped off. Quite the opposite. These visitors wanted to be on my site, elsewise they wouldn't have dropped by. It felt pretty cool that so many people were coming to a site that I was responsible for managing. These people were supplying my paycheck and I had to make sure that they preffered our site to our competitors'. If a lot of visitors deleted that single cookie I used, that made that job much more difficult.

Does that still make me evil?

Re:The other side of things.

[garcia (6573)]

Cookies are fine for storing login information. If a user wants to keep a persistent cookie to make their visits to my site easier they are free to click the box. If they only want a session ID then they can login, use the site, and leave w/o a cookie.

Why do companies think that it is important to not tell a user up front that they are going to get a cookie w/o logging in?

Yeah, they might have been paying your wages and you were just doing your job but I don't see how aggregating statistics need to be d

Re:The other side of things.

[Miros (734652)]

I think you make some really interesting points. From one aspect, you are tracking users by depositing information on their computer. While you claim this information could not be used to identify them elsewhere, it's certainly a concern with less careful web developers at the cookie helm. At the same time, you make an interesting point about how a store owner may want to track how their users use their site, what brings them there, and what they look for. If you think of a real store, the owner would c

Re:The other side of things.

[neil.pearce (53830)]

Cookies cannot be accessed by sites that did not put them there in the first place
You'd hope that would be true, but historically that has not been the case. A google for "cookie exploits", "cookie migration" and even a browse of IE "domain" bugs shows this to be true.

The carefulness of web developers has nothing to do with anything.
Really? Some years ago I noticed that the FriendsReunited.co.uk website set a cookie after I'd logged in, along the lines of "confirmeduser=23959".
What happened if I modified the cookie? Yep, you guessed it... ability to modify somebody elses details.

As a web developer, I know that cookies are a good solution to the problem of maintaining state in a stateless medium
If the medium is stateless there is no solution. You mean "as a lazy developer, cookies work most of the time"?

As a web developer
I'm guessing you claim cookies to be "good" because your development environment/web-server is not configured to allow anything else? Why not just append a "&sessionid=[big binary data]" to all your page links? I'm guessing that, despite being a "web developer" you are not given the ability to do so

Re:The other side of things.

[Bitsy Boffin (110334)]

"&sessionid=[big binary data]" to all your page links? I'm guessing that, despite being a "web developer" you are not given the ability to do so

Because that will inevitably lead to session hijacking. Either through a proxy or people sharing bookmarks.

Cookies for session ID storage reduce the first problem (but don't remove it totally), and eliminate the second.

They also reduce code, and remove session id's from URLs which is not where they belong for most URLs (why should the "aboutus" page need a session id, how is that useful, but if passing session id's on the url then it's required even though "aboutus" couldn't care less).

Yes, yes it does.

[Otto (17870)]

only incidently linked to their contact info because we never correlated the data together ...
Does that still make me evil?

Yep.

If you have the *ability* to do it, then somebody in your organization eventually will decide that it sounds like a good idea.

This is why all my browsing is cookie-free (or rather, cookies being allowed on a whitelist basis and everything else removed on browser shutdown). I don't want you to have that ability to track what I do on your site for very long. Regardless of whether you use that ability or not, I don't trust you to behave properly with that information. Why should I? I don't know you.

Re:Yes, yes it does.

[Miros (734652)]

If you dont trust the website, why would you ever give it personal information anyway? In the above poster's example, he said that they collected personal information about users when they would buy something (when else?). I'm sure that you're not suggesting that you buy things from websites that you dont trust.... SO, what are you saying exactly? You sound paranoid.

Re:Why not?

[periol (767926)]

But ultimatly, most users would probably enjoy the massive improvments in customer expierience that could be achieved using this information.

When I go to the gas station, the attendant does not put a tracking device on the car that keeps track of everything I look at in the store and allows him to take note of whether I stop off for gas with one of his competitors.

Here's the problem: companies are impersonal. So are websites. No amount of "tracking" will make a website seem like a conversation with anohter person. If you want my opinion, ask for it. Either way, I will be deleting cookies from your website every day.

Re:Why not?

[ip_fired (730445)]

Cookies don't track which sites you go to. A cookie has a domain that it actually is assigned to. When you visit that domain, the web browser sends that cookie to the server. If I go to amazon.com and they put a cookie on my system, then the only people who can look at it is amazon.com. They can't tell that I also went to overstock.com and looked at books. And overstock can't tell that I've been to amazon.

The only time they can get this information is if a third party has an Ad, or some other content on both sites (which is what makes cookies from ad sites more dangerous).

So really, when you go to the gas station, the attendant doesn't have to put a tracking device on your car. Just record your license plate (after all, isn't that all a GUID is?) Your car always has it's license plate, and so they can see who it is. Then they can track your usage at the gas station.

Cookies can provide useful information to the site developer. You like visiting well designed websites right? Getting information that will help you streamline the site is a good reason to track those statistics.

You are being too paranoid. Get adblock, only allow cookies to be set by the originating website and use a hosts file that blocks most ad sites and then you won't have to worry about it.

Re:Why not?

[TCM (130219)]

Cookies don't track which sites you go to. A cookie has a domain that it actually is assigned to. When you visit that domain, the web browser sends that cookie to the server. If I go to amazon.com and they put a cookie on my system, then the only people who can look at it is amazon.com.

Well, Sherlock, we're talking about the marketers like Doubleclick here. Doubleclick has banners on countless websites. Each banner's picture has the website it's displayed on encoded in the URL. Additionally, they set cookies from the domain doubleclick.net. Now what happens? Doubleclick can track you because each of their banners on all sites they have a banner on can read the cookie.

Know their customers?!?

[Otto (17870)]

If they know their customers a little better...

But they don't know me. They will never know me.

"Knowing me" means knowing my name, shaking hands, asking me about things we've discussed in the past. That's being friends with somebody. That's knowing them. That's what your idea of the "clerk who recognizes your face" is about, no? The little guy running the corner market, sort of thing. :P

Some dude running a website on the opposite side of the country will never know me. At best, he'll know what I've bought from him and other website owners that he shares information with or advertises with. Knowing what I buy doesn't mean he "knows me". It means he's treating me as an impersonal entity to be exploited, somebody to attempt to get more money from. It doesn't mean he's treating me as a fellow human being deserving of respect and friendship.

No, fuck that, I'll remain a stranger to that guy across the country running a website, and I'll know the guy who sells me my fresh fruit down on the corner market, and I'm quite comfortable with that and don't see it as a conflict whatsoever.

Re:Why not?

[NickFortune (613926)]

I mean, I completly understand your love of privacy, and I believe that it is your right to keep that information to yourself if you want to. Excellent. That is all I ask.

If they know their customers a little better, they can improve their business, just as any salesman who recognized a regular customer would.

To the benefit of whom? I feel no incentive to assist in this process.

But if you feel better always being a stranger then I dont see any problem with that. A stranger to whom? To doubleclick.net? Yes please! And let us not forget the resale value of aggregated marketing data. I think I'd like to remain a stranger to a lot of people online.

But not everyone. I don't post as an AC for example. I think I can manage my own privacy thank you.

But ultimatly, most users would probably enjoy the massive improvments in customer expierience that could be achieved using this information.

"could" being the significant term. I have no confidence that this information would be utilised to improve my life. What they going to do? Give me targetted ads? Adverts that more closely match my interests? Only an adman thinks of that as a benefit.

And I've yet to hear mention of any other

Re:Yes, yes it does.

[tgd (2822)]

Thats rediculous.

Do you insist the security tapes are turned over when you shop at stores? Do you pay only in cash? Its hard to pay cash online, but presumably you use credit cards. Why do you trust them with your info? Its easy to track where you shop with that.

Do you know the people at your bank? At Visa/MC? The processor? How about the people at the stores you shop at? Do you not use any of those shopper cards at the grocery store (I don't)? No Costco membership, or library card?

You know, you're logge

Re:Yes, yes it does.

[justforaday (560408)]

Have you SEEN their editing abilities?

They have editing abilities?

Tinfoil hat security...

[MosesJones (55544)]

Why should I? I don't know you

Do you know your bank? I mean apart from the front-end office that takes your money?

Do you know VISA, AMEX, Mastercard or whatever credit card you use?

If you have the *ability* to do it, then somebody in your organization eventually will decide that it sounds like a good idea.

And this is paranoia on crack... it assumes that people will ALWAYS do the wrong thing and will ALWAYS try and screw you about, and that customer profiling NEVER results in a better service.

Feel happy in your paranoia, me I just assess risk on a site by site, and business by business basis.

Re:The other side of things.

[Compholio (770966)]

Knowing that "John Smith" visited our site 3 times a week isn't really any more insightful that knowing that "User #5233258" visited us 3 times a week.

Then why isn't user 123.456.789.012 good enough?

Dynamic IP's.

[KitesWorld (901626)]

How many visitors are on an old dial up connection or connecting via proxy? I.P. numbers simply aren't a reliable way of providing usage statistics.

Re:The other side of things.

[Loonacy (459630)]

Because IP addresses don't go that high, duh.
(Although I completely agree with the general idea.)

Re:The other side of things.

[Enigma_Man (756516)]

user 17.123.23.5 might be 30,000 computers, that's why. IP addresses are not a good way of tracking individual users because of network routing / NAT etc.

-Jesse

Re:The other side of things.

[justforaday (560408)]

Because obviously somebody is spoofing their IP address...

Re:The other side of things.

[afidel (530433)]

If you really ARE looking at agregate statistics then how does deleting the cookie really impact your analysis, other than slightly inflating your unique visitors numbers? I would think that things like best path through the site could be determined from session cookies, no need for them to be sustained. If you want to track return purchasers just associate their account with a cookie and if they return to purchase again just reassign them their original GUID or combine the GUIDs into one trackable metric.

Re:The other side of things.

[temojen (678985)]

I have no problem with one site tracking my motions through their services. What bothers me is services that track me through multiple unrelated sites, some of which have my personal information on file.

Re:The other side of things.

[Enigma_Man (756516)]

I have a similar story. I design / manage the website for a company, and we had a reasonably big problem with using cookies for internal "tracking" purposes. Not to track customers in the "evil" way, but just to keep track of things in their shopping cart, and other similar info to what you stated. The problem we had was with people having cookies shut off. At first, we'd just not track them at all, and the shopping cart would ask them to turn on their cookies, and gave some quick directions, and links to detailed directions for different browsers. A lot of people seemed to be totally turned off by this, based on the amount of people that read the instructions and then didn't even start shopping.

What we ended up doing was using alternate methods for tracking users as they browse around our site, mainly using links with generated tails attached to them that were unique to each visitor. Like, instead of linking to index.cfm in the navigation window, It would be index.cfm?user=5012345, and we'd keep track internally. Obviously this isn't a safe use for a shopping cart type thing, but we used other methods to secure that.

Mainly, I just wanted to say that there are methods other than cookies that work just as well.

-Jesse

Re:The other side of things.

[digidave (259925)]

Congratulations on inventing a less useful form of session variables :)

Re:The other side of things.

[zx75 (304335)]

Ok, you're obviously running a site that is not insignificant if you have an eCommerce application, GUID numbers and tracking individuals as they visit different pages. There are other ways to do this outside of cookies that gather non-aggregated data without putting anything on the user's machine.

The simplest example I can think of is one Java based web application I was one of the deveopers for. We had to deal with secure logins, we had eCommerce and a variety of other things that are mostly irrelevant.

Re:Tracking customer behavior

[Migraineman (632203)]

I went to a clothing store a few years ago to buy a present for the wife. I handed the cashier cash for the items, then had the following conversation -

Cashier: May I have your phone number?
Me: No.
Cashier: It's only for customer satisfaction purposes ...
Me: What part of "no" was ambiguous?
Cashier: We need your phone number to improve customer service ...
Me: Get your manager over here right now so I can explain why you're losing this sale, and all future sales ...
Cashier: {types in store phone number}

I get amazingly cheesed when businesses fail to respect my privacy (whether I have a "right" to privacy is a whole separate rant.)

Re:Tracking customer behavior

[blitz487 (606553)]

I had a similar experience. I went into a computer store to buy a printer. The cashier wanted my home address. I said "no". The cashier said it was their policy for all sales. I asked for the manager, who repeated that line. I asked him if he was willing to give up the sale for his policy. He said "yes", and I said it was my policy to not give out my address, and I left.

I went to his competitor up the street, bought the same printer. I told the story to the store manager there, who had a nice laugh and was happy to get my money.

Re:Tracking customer behavior

[jayloden (806185)]

Look, I appreciate the sentiment - I don't like handing out my phone number or personal information for stupid reasons either.

However, PLEASE try and remember something. The people you talk to and buy things from are not the store owners. In fact, they're lucky if they've ever even met the franchise owner of the store, let alone the owner of the company.

You are taking out your annoyance on someone who has: a) No real interest whatsoever in whether or not you buy X piece of crap (unless they get commissions on sales) and b) No control over the policy, the system, and in most cases, the cash register either. They might be able to get around it (as the clerk did in the OP's post), but that's not the point

The point I'm making here is this: don't get pissed at some clerk or manager at a chain store for following store policy, or expect them to change it for you, even if it's a dumb policy.

I've worked at department stores and grocery stores, etc - it sucks. And you know what? The only people I ever really disliked when I worked any retail job were the people who thought it was MY store and MY decision to harass them for a phone number/address, whatever. These are the people that expect you to break the rules for them (c'mon, you can just give me the discount, I forgot my coupons), then treat you like shit when you follow the rules of the company that puts the paycheck in your hand at the end of the week.

It was store policy to ask for a phone number, the register prompted for it, and we're supposed to ask. If we got shopped by a "secret shopper" or a manager caught us ignoring it, that's our ass, not the customer's. On behalf of all past, present and future retail employees: We don't care what your personal information is. We care about our paycheck and about following the rules of the job.

I agree that it should only take one polite refusal to avoid having to give out your information. Just keep in mind that the manager may have to give approval, and in the larger chains, even the manager may not have the power to negate store policy. Either way, the bottom line is even if the manager has the ability to counteract the policy, they don't care. The manager at Best Buy is not sitting at home in a deep depression because you bought your printer at Circuit City instead.

Re:Tracking customer behavior

[Migraineman (632203)]

Like it or not, the cashier represents the store during the sale. During my experience at the store, I probably have the most "face time" with the cashier, and checking out ends up being the part of the sale that tends to stick in my mind. I want it to be pleasant and hassle free.

Asking for personal information will get you a polite but terse "no." I have no intention of justifying my response to you or anyone else. Pressing the matter restults in me getting annoyed. Pressing *again* puts you in risk of losing the sale, and yes, I'm going to tell the manager why. I recognize that the cashier doesn't set the store policy. I don't think I've ever yelled at a cashier for that very reason. However, unless the store management hears about the cheesed customers and the lost sales, the store policy won't change.

I vote with my wallet and my feet. Yelling and screaming just gets you written-off as a whackjob. Telling the manager why you're taking your business elsewhere, and then doing so, punishes the crummy vendor and rewards the competitor who doesn't have the crappy policy.

Re:Tracking customer behavior

[SatanicPuppy (611928)]

My ability to make up fake phone numbers is almost a brainstem response. I accidentally told a mortgage officer a fake phone number once, then had to do the lame, "Uhhh, wait that's my old number" thing.

Whenever someone asks for info they don't need, lie. It's the only safe thing to do. I hit one of those surveys where they ask you for your computer password in exchange for a 5 dollar gift certificate.

They said, "We'd like to offer you a free gift certificate for coffee in exchange for your password."

And I said, "What a coincidence, my password is 'Il1k3fr33c0ff33'." I'm not sure they got it, but I got my fr33 c0ff33.

Re:Tracking customer behavior

[Just Some Guy (3352)]

Found it on the bathroom wall. It's common knowledge in these parts.

So wait...

[DrEldarion (114072)]

Hrm? They track you through the cookies, yet comparisons to "spyware" are unjustified?

Personally...

[Shadow Wrought (586631)]

I blame the Atkins craze for the sudden diminishing of cookies. On a side note, as a general rule, I'm pretty happy with any behavior that makes marketer's lives more difficult. Just one of those rules of thumb.

Don't delete cookies

[i.r.id10t (595143)]

I don't delete 'em. I log in to various sites that use them (that I want to use them), then I close the browser and then make the cookies.txt file read-only (chmod or chattr, or attrib). Get the benefit for sites I want the customizations on, don't get the tracking

Flash tracking? like hell

[Rosco P. Coltrane (209368)]

Flash-based tracking system is mentioned

It doesn't seem to have dawned on marketers that many, many people already associate Flash with "annoying advertising", "high CPU usage for nothing" and "general nuisance", and that it is disabled in many browsers as a consequence.

Speaking for myself, Flash is disabled. When I need it occasionally (that is, when I happen to want to play this [princeofpersiagame.com] about once a year), I re-enable it. But otherwise, I've yet to see a website sporting Flash that doesn't use it for useless eye-candy or advertising.

Re:Flash tracking? like hell

[supernova87a (532540)]

Try the Flashblock extension! [mozdev.org] It's the best thing I ever downloaded for my Firefox. Keeps flash plugins from playing unless you click on them in the browser to start them. And for some reason I have never found that I want to click on one to deliberately see an ad...

That's not the intended purpose of cookies

[dpbsmith (263124)]

Cookies were intended to allow sites to serve users by providing a convenient method of preserving client-side state.

They're intended to do legitimate things like let a site remember who you are so you don't need to log in every time you visit it, or assign a transaction code to make it easy for things like shopping carts to work... and prevent you from double-ordering if you click the "Order" button twice.

They were never intended for the purposes to which marketers have misappropriated them.

It's just another example of information being ostensibly collected for a purpose the user approves of, and then being secretly used for purposes the user is unaware of and might not approve of, and it justifiably makes people angry.

Fun with Cookies

[RagingChipmunk (646664)]

Every once in awhile I like to toy with the cookies. I'll edit their content - flip some bytes, add lots of corrupt text, delete sections. Occasionally, I'll flip all the cookies to "Read Only". Its fun to see a site occasionally puke from bogus cookie data.

Re:Fun with Cookies

[KillShill (877105)]

sounds like a perfect idea for a firefox extension.

maybe some smart "cookie" can code one up in an afternoon...

Tony Soprano said it best.

[base3 (539820)]

"That cookie shit makes me nervous."

Too Bad

[kenp2002 (545495)]

I hear many people complaining about EVIL marketers. Most marketing companies are rather decent people trying to find you the customer who wants their product. A VERY small % of marketing companies are shady info-whoring bastards. Targetted marking is a rather nice thing as far as I am concerned. When offered to provide interests, and the resulting ads, I find myself visiting the link. WHAT I HATE is misdirected market, you know assholes that call you about new siding on your house when you live in an apartment, or my favorite (being a married old fart) getting ads for tapons and crap like that (because the wife occassionally does some surfing under my ID).

It's too bad a small group, as usual, ruins it for the majority.

Marketers have only themselves to blame

[phillymjs (234426)]

They abused phone calls, and that brought about the national Do Not Call list.
They abused TV commercials, and that brought about "commercial skip" VCRs and TiVo.
They abused pop-ups, and that brought about pop-up blockers.
They abused Flash to make more attention-getting (read: obnoxious) banner ads, and that brought about Flashblock.
They abused cookies, now people obsessively delete them if they allow them to be created at all.

Am I the only one who sees a pattern here?

~Philly

3rd party cookies

[Avohir (889832)]

I keep 3rd party cookies blocked... that keeps everything nice and clean.

For the layman, the way these tracking cookies work is when you're visiting site A, site A has a banner from site Z. If you have 3rd party cookies enabled, not only can site A set a cookie to your harddrive, so can site Z. Now, you go to site B which also uses site Z's ads... and site Z can see you were also at site A. Block 3rd party cookies however, and you cant get a cookie from site Z unless you actually VISIT site Z.

Disabling 3rd party cookies lets you keep their useful functions (login information at ebay, etc) and restrict the illegitimate ones (tracking my useage).

Mike Healan from Spywareinfo.com has a good article about cookies and their spyware-esque function here: http://www.spywareinfo.net/july20,2005#cookies [spywareinfo.net]

Well, tough ....

[gstoddart (321705)]

Too bad if the marketers don't like that people delete cookies.

Companies like doubleclick and the ones who seem to only serve up annoying advertising have no expectation that I will a) accept their cookie (if you're not the site I'm visiting, why do you get a cookie?) or b) even if I did accept their cookie, that I would keep it.

The real world would be tagging your clients. Someone comes in to browse, you snap an ear collar on him. You walk into another store, someone wants to stamp the back of your hand indicating that you've shopped there.

I had a person at my door asking if I'd received my flyers -- when I told her than if I had I'd tossed them in the bin, she wanted my name and phone number. What part of I'm not interested in your flyer, and you don't need my contact info to respond to this?

I wouldn't accept K-Mart putting a radio tracking collar on me, WTF do on-line marketers think they're any different?

No benefit to consumers, then no cookies

[Vellmont (569020)]

Should web marketers really be surprised that constantly tagging people and most of the time and giving them no benefit at all makes them nervous? What if you had your hand stamped with invisible ink every time you went into a store, and received nothing for it? How many people would want to allow that?

The thing is that these marketers want something for nothing. I enable the "ask for each cookie" option in mozilla, and generally click "allow for session" on 99% of most sites because they offer me NOTHING in return for tagging me. On sites like Amazon.com I can add things to my wish list without logging in, or on slashdot I can login without typing in passwords. Tvguide.com will show me my local listings, cool. I've gotten a benefit from the site knowing who I am, so I'm much more likely to allow them to know that.

Most sites that hand out cookies give you nothing for identifying you. Why should I give them somthing they want for nothing? I certainly don't trust the average marketer to not do skeevy things like targeted pricing (looks like I visit bmw.com a lot.. I must be rich. Raise my prices by 10%).

Cookie Monsters

[Doc Ruby (173196)]

A client/server system without persistent client state is unuseably crippled. Cookies are a simple way to get that. If users are flushing them once a month, but need not, they must be balancing the convenience of persistence with their perceived "privacy". If just the marketers are complaining, I don't care. When the engineers complain that no persistent client state is crippling our apps, then I care.

Marketers could stop complaining, and fund better UIs that decrease the false perception that cookies are bad. Their stealth makes them sinister, and their unmanageability makes people throw out the benign majority with the tiny malign minority. But only a generation of marketdroids could taint the deep-seated pleasant associations with "cookies" into fear of deadly poison. If they rechanelled their complaints into better UIs, they'd be "engineers", not marketdroids. So they're doomed. If only they were as doomed as the cookies they mourn.

Please stop the cookiephobia

[scode (22551)]

Alright, fine. Some types of cookies can be easily exploited, but there is one type of cookie that you DON'T want to turn off (and don't want people in general to turn off), and that is the session cookie.

All this 'anti cookie' propaganda is really getting out of hand. Session cookies are a great way to securely identify a series of otherwise unrelated requests as belonging to the same session. By turning off cookies one is also disabling this very valuable feature.

"But it doesn't matter" you say, because web sites can use URL rewriting instead. Well, think about it:

* If URL rewriting is used, exactly how is this better, from a privacy stand-point, than a session cookie? The exact same information is propagated, so nothing is gained in terms of privacy. In addition, the "evil" people whom everybody is presumably trying to prevent from tracking a user's session can also use this technique.

* On the issue of security and technical convenience however, you are making it worse. URL rewriting is inherently less secure in the fact of 'accidents' such as paste:ing a link (which the average joe won't understand contains sensitive information) to a work collegue sitting behind the same NAT:ing gateway. And how about referrer URL:s making it into web server logs? (There is no guarantee that the session identifier is encoded such that a security conscious browser can spot it, and refrain from sending it as part of a referrer URL to another web server.)

Overall, session cookies are vastly superior to URL rewriting in a number of different situations. But this overzealous anti-cookie paranoia is forcing people to use URL rewriting *anyway*. In tryng to increase privacy, it has actually been lessend - along with security!

Just to give one example of how the ACP (anti cookie paranoia) can interact with web pages: I was recently involved in a situation where some browsers would disable cookies (even session cookies) for requests that were made as part of an IFRAME on a page hosted on another domain (presumably for privacy concerns). This resulted in, for practical purposes, a total inability to use cookies on that site. URL rewriting is now used instead, to a detriment of security and privacy.

Re:Cookies are good

[Rosco P. Coltrane (209368)]

People can complain all they want, but cookies are necessary to make surfing experiences less problematic.

Oh yeah? I have my Mozilla configured to ask me, if a site wants to install a cookie, whether I want to let it or not. Usually, I just click DENY more or less automatically. Once in a while though, I do that and a realize the site doesn't work without cookies so I go and explicitely re-enable cookies for it.

How often does that happen? I'd say about 10 times this year, no more. And I can tell you, I c

Re:Monthly basis?

[phasm42 (588479)]

And how exactly did this happen. I have not deleted my cookies for a couple YEARS since I last reloaded my computers, and have yet to have a single problem with stolen passwords or any of these other problems that evil cookies are supposedly causing.

There is the possibility that a large enough group of companies collaborating could use the information to link purchases and browsing habits together. But I really don't care. They want to try to personalize my ads, that's fine too. Why? Because it's a free lunch. They think they're convincing me to buy stuff, when in fact I don't give a fuck. As long as the illusion is maintained, I'm happy to let them think they're learning valuable information about me. If this avenue is cut off to advertisers, either the free lunch will end or something more insidious will take its place.

Most companies only care about using cookies to keep track of visitors to their site anyway, and this can be useful to improve the site. A site that uses tracking information to see what other sites you visit (which is difficult without having their ads directly on other sites, which usually isn't the case because someone else usually hosts the images) and sells your email address is probably not one you want to continue purchasing from.

Spyware and Image Cookies

[yintercept (517362)]

I use cookies for session management and tracking usage in a site.

Spyware abuse generally occurs when a big company (doubleclick, valueclick, etc) want to track your usage between sites. The spyware fears generally arise with third party cookies.

These cookies generally come attached to images. For example the image ad on top of this slashdot page might access cookies that get used to build a profile of my slashdot usage.

Preventing spyware is a matter of blocking third party cookies.

Personally, I can't see any real reason why images (the IMG tag) should be allowed to set cookies.

When the main page sets a cookie, it is almost always to provide service to the end user. When an image sets a cookie, it is almost always so marketers can build profiles. My ideal browser would not allow third party cookies nor would it allow cookies to be set by img tags.