Q: A web site wants to give me a cookie. Should I accept it? I am kind of hungry…
A: (typical engineer response) It depends. What is in the cookie? What does the web site want to do with it?
Definition: A browser cookie (also called an HTTP cookie), is a plaintext message from a web server to a browser which is later returned to the server unchanged, sent each time the user running the browser visits the originating website. An HTTP cookie can be used for a number of functions, generally pertaining to caching or persisting certain user-specific information.
Some common (proper) uses might include:
- site preferences
- single-session specific details like contents of a shopping cart
- interests
- any number of other information which may either identify or describe your profile to the server
Origins: "Cookie" comes from "magic cookie" – a term coined for a common concept in computing.
Stereotypes, Myths and Other Information: On some levels, the HTTP cookie has gotten a bad rap based on poor usage by web programmers. It is oft-cited as a concern for Internet privacy because a single cookie can (when implemented imprudently) contain sensitive or privileged information (like a username and password). Also, taken as a whole, the collection of cookies in a user’s profile on their computer can tell you a lot about a user’s browsing habits, shopping preferences, and many other details. Other critiques point out that cookie information could be incorrect or that inadvertent disclosure could be used against a user. A common misconception is that cookies are spyware or malware – they are not, but many popular anti-spyware programs will alert the user to the presence of cookies. A cookie in and of itself is not going to take any action (malicious or not) against you or your computer. It is nothing but a text file and from a functional standpoint it is harmless. It is only what is in the cookie about which one should be concerned (after all, you are what you eat). Most modern web browsers offer us the choice of accepting or declining cookies, usually on a site-by-site basis. Refusing a server’s cookie may cause a web application to not work properly or to fail altogether. For example, it is not uncommon for a shopping cart application to persist the cart contents or other session data in an HTTP cookie.
Rules of Thumb:
- One should accept a cookie (on their own computer) only when the server sending it is trusted and the general purpose/use of the cookie is known or can be inferred. For example, if you are on your personal computer and you log onto your banking website and it wants to give you a cookie, you should probably accept it.
- If in doubt, refuse it. If you refuse to accept a cookie and it is needed to make a web application (for example, a shopping cart or online forum) function properly, there are very good odds the site is going to tell you so. Then you can go back and start over by accepting the cookie. See rule of thumb #1.
- One should always check browser settings on public or shared computers to make sure cookie offers are blocked or at least require approval.
- If you are overly concerned about what your cookie history says about you or who might be able to read it, most browsers have a function which will allow you to delete temporary files and/or clear cookies. Several fine third-party applications including some spyware/adware scanners can help you identify any cookies you might want to clear off your computer, but beware the wolf in sheep’s clothing. Always consult a trusted advisor before installing software from an unknown source.
Conclusion: In the final analysis, whether or not one should accept a cookie is up to the individual, and it is the content, context and function of the data contained in the cookie that should drive the decision, as well as the nature of the environment in which one is browsing.