[Pdx-pm] Anti-cookie rhetoric (was: saving state with CGI.pm)

Austin Schutz tex at off.org
Wed Nov 5 13:41:46 CST 2003


On Thu, Nov 06, 2003 at 09:50:08AM -0800, Tom Phoenix wrote:
> On Wed, 5 Nov 2003, Austin Schutz wrote:
>
> >     Some folks used to say that users wouldn't always allow cookies,
> > but that's probably not true any more.
>
> It's worth remembering that a few users may not be able to use cookies
> even if they want to. For example, the user might be at a school or
> library net terminal, unable to change the preferences, while the site
> admin has ordained "no cookies" since each computer is shared among many
> users.

        Sure, that could happen. That's a pretty smally minority, but it
could be important.

>
> Even when cookies succeed, they don't hold information for the user; they
> hold information for the _browser_. If I borrow your computer and use your
> browser, sites will think that you're visiting. If you use a different
> computer or browser, sites may think that a different person is visiting.
> That's one reason that most cookies should expire within a few hours or at
> end-of-session, the sooner the better. (Exception: The user asks to save
> state, such as "Remember my settings". Or you have users who are sure to
> have cookie support and mostly one-user-per-browser, such as with an
> in-house application.)

        Well it's certainly possible to make sure the data in the cookies is
user specific, and to make sure it's password protected and/or encrypted, all
of which can be done without that much effort and without maintaining state
by the server.
        The point of the exercise was to maintain state for the user
anyway, so at some point unless the data gets flushed it will still be
available in the browser no matter which method you use, and using any
reasonable method the data can be flushed anyway. *shrug*


> Cookies can work for some purposes, but they have a lot of shortcomings.

        They're definitely not a panacea, but they can be pretty handy IMO,
especially for data that _isn't_ particularly sensitive, but should be
stored over long periods. Preferences, in particular, can be saved in cookies
and make a user's web browsing experience significantly better.

	I like 'em, but then again, I don't have the added burden of worrying
or caring about library users, etc.

	Austin



More information about the Pdx-pm-list mailing list