[Pdx-pm] Anti-cookie rhetoric (was: saving state with CGI.pm)

Tom Phoenix rootbeer at redcat.com
Thu Nov 6 16:28:47 CST 2003

On Wed, 5 Nov 2003, Austin Schutz wrote:

>         Well it's certainly possible to make sure the data in the
> cookies is user specific,

Am I missing something here? The only ways I can think of to ensure that
the cookie data belong to a particular user, instead of browser, would
obviate the need for long-term cookies at all. For example, if the user
logs in with a username-password combo, you know which user it is - but
now, why keep anything in the cookie jar? You've already got the username
and password (in some form) in a database, so you may as well keep
everything in there, or at least everything important. Cookies get lost,
but databases get backed up. (We hope!)

> and to make sure it's password protected and/or encrypted,

Encrypting user data in cookies is using a cheap database that sometimes
loses data. :-)

Seriously, disk space on the server is cheap; bandwidth consumed by large
cookies that go back and forth on many transactions is expenive. A small
cookie that has a session-ID is okay, but that's designed to expire at the
end of a session. If you must use large cookies, ensure that they're not
sent to and from your server except when necessary. Some servers send and
require every cookie even when you're fetching the eighteen images on
every page. For some reason, these pages load slowly...  :-D

> especially for data that _isn't_ particularly sensitive, but should be
> stored over long periods.

Long-term cookies are generally problematic. Most browsers implement some
limit on cookies, deleting old cookies to make room for new ones. The RFC
has some information on this, even though its suggested limits are pretty
permissive. Section 6.3 says,

    Applications should use as few and as small cookies as possible, and
    they should cope gracefully with the loss of a cookie.


> Preferences, in particular, can be saved in cookies and make a user's
> web browsing experience significantly better.

Yes, that's the usage I mentioned - so long as the _user_ chooses to save
the state. If I borrow your browser, some site shouldn't save my
preferences as if they were yours, though.

I'm not opposed to all uses of cookies. But I'm opposed to most of their
uses on the web today.

--Tom Phoenix

More information about the Pdx-pm-list mailing list