[Pdx-pm] Anti-cookie rhetoric (was: saving state with CGI.pm)

[Tom Phoenix]

On Wed, 5 Nov 2003, Austin Schutz wrote:

> 	Some folks used to say that users wouldn't always allow cookies,
> but that's probably not true any more.

It's worth remembering that a few users may not be able to use cookies
even if they want to. For example, the user might be at a school or
library net terminal, unable to change the preferences, while the site
admin has ordained "no cookies" since each computer is shared among many
users.

Even when cookies succeed, they don't hold information for the user; they
hold information for the _browser_. If I borrow your computer and use your
browser, sites will think that you're visiting. If you use a different
computer or browser, sites may think that a different person is visiting.
That's one reason that most cookies should expire within a few hours or at
end-of-session, the sooner the better. (Exception: The user asks to save
state, such as "Remember my settings". Or you have users who are sure to
have cookie support and mostly one-user-per-browser, such as with an
in-house application.)

We should all laugh at sites which use cookies to keep voters on a
web-based poll from "stuffing the ballot box" with multiple votes. That
inconveniences some people who share browsers while being impotent to
prevent fraudulent votes. (That's a task for a captcha:
http://www.captcha.net/ - but there's no fair way to stop someone who
wants to vote more than once, short of some non-net-based registration.)

Cookies can work for some purposes, but they have a lot of shortcomings.

--Tom