The topic of Cookies seem to come up fairly often. Folks wonder what they are, what they do, and how they can clean them out. Today on the radio, I mentioned two ways of cleaning out all your cookies. The wonderful audience of WPR very quickly pointed me towards a third option that allows you to clean out specific cookies if you choose.
In this article, I’m going to talk briefly about what cookies are, what they do, and just what kind of trouble they can cause you. I’ll also cover methods for clearing out some or all of your cookies.
What Cookies Are
Cookies are actually pretty simple things. Their a lot like an name tag at a party with people that have very short memories. Web browsers talk to web servers. This conversation is known as “stateless”. That is, when the conversation is over, and a second one is started, the second conversation takes place as though the first one never happened. This worked fine in the old days, when web pages were just information and you wanted to read it.
This system falls down though, when your want to interact with the web site. The best example is on-line shopping. We’ve all seen these “shopping carts” where we add things to them then check out, buying all the things in our cart at the same time with one transaction. But if each conversation (that is, each page of a web site) has no knowledge of the last one, how would the web server ever know that you all ready have one item in your cart and you’re adding another? One solution to this problem is the cookie.
In this example case, the web server hands a little piece of data to the web browser. It can (and should be) random. For example, here’s the contents of a cookie I have on my Mac: 461c3ba1ad66aaa2 Not very interesting, is it? Let’s say this cookie is from amazon.com. Now, when my browser goes to load a second page at Amazon, it hands their server this cookie. Their system looks at the cookies and goes, “Ah, this is that customer that just put ‘Little House on the Prairie’ in his shopping cart. Now he wants to buy ‘Ghostbusters’, so we’ll add it to the same shopping cart.” With the use of that cookie, Amazon can now remember who I am and that I have two bad videos in my shopping cart.
The contents of any particular cookie is entirely up to the web site that places it. After all, they’re the ones that have to look us up every time we look at any page of theirs. Some poorly written web pages will store inappropriate information in the cookie, such as an e-mail address or account number. That cookie can be passed over insecure networks or stored insecurely on our computers, which is why it’s best to only put random stuff into it. Fortunately, the practice of putting “real” data in there is becoming less and less frequent.
Our web browsers will only hand a cookie back to the web page that placed it. So the only web site that can see the contents of my Amazon cookie is amazon.com. And really, the contents of my Amazon cookie aren’t going to be of any use to Barnes and Noble anyway.
What does this all mean then?
There are some privacy concerns with this. For example, Amazon can keep track of what you do and what you buy at their site. They can track how long you spend on any particular page in their store, and they can even present options to you that others with a similar profile have purchased. Some folks find this a bit unnerving. They’d rather be anonymous when they show up at a web site the second time.
This does not mean, however, that Amazon can track what you’re doing on any other web site, or even that you’ve been to any other web site. Remember, cookies are only returned to the site that placed them. And today, even if another site did get another site’s cookie, the random data in it won’t do them any good. They don’t have the other half of the equation–a table that correlates that random string to a person’s profile.
Another privacy issue with cookies is that web sites remember you automatically. For example, Google has a cookie set on my Mac. When I go to their search page, it automatically brings up a customized page. If someone else were to sit down at my Mac, they would be presented with that same customized Google search page. Google would think they were me. I’m not too worried about the Google search page, but there are some other pages that I might not want a guest to access as me.
What cookies don’t do
Cookies, then, are nothing more than pieces of data. The real power of a cookie comes from the other side (the web server) matching up that piece of data with some information they’ve stored. Think of them a bit like a key to a car.
They are not programs that can run. A cookie doesn’t contain a virus. (Well, it might, but since your browser doesn’t ever “run” a cookie, it would just sit there and never do anything.) A cookie cannot do anything other than exist, and occasionally be read. They take up almost zero space. I would imagine that if you have too many, they could slow things down, since you’re computer would have to search through a long list to find the one it’s looking for. My hunch is that list would have to be exceedingly long. (Think several thousand.)
They do not contribute to spam. If a web site is using a cookie to identify you, they are not getting your e-mail address (unless you give it to them). Even if you do give your address to one site, it does not mean that it’s being surreptitiously transmitted to another site. (This does happen with less than reputable sites, but not via cookies. That’s usually a deliberate monetary transaction between one site and the next.)
Suggested Cookie Settings
Safari has a very good default for handling cookies. In the “Preferences” section, they have the option to “Only accept cookies from sites you navigate to”. That is, if I go to cnn.com, they can leave a cookie. But an advertiser that is displaying an ad on cnn.com cannot leave a cookie. This prevents that advertiser from knowing who I am if I land on another page where they are displaying an add.
I like this balance. It allows web sites to remember who I am, but doesn’t give away too much of my habits to advertisers.
But there are times when I’d like to go back to a web site anonymously, as though I’ve not been there before. To do this, we clear out the cookies.
The “sledge hammer” approach is to choose the “Reset Safari” command from the “Safari” menu. This will get rid of all your cookies, your cache files, your history of sites you’ve visited, as well as any Google searches that it may have remembered.
If you just want to get rid of some cookies, you can do that from the “Preferences” window in Safari.
You press that “Show Cookies” button and you’ll see a list of all your cookies.
You can then go and delete specific ones or delete them all.
What are you loosing if you delete them all?
If you delete all your cookies, then any web page you go to will be as though you’ve never been there. So if you have a Google home page, you’ll have to log in again. If you have any web page that has a check box like “Remember Me” or some such, you’ll have to log back in again. Really, you’re not loosing that much. The flip side is you’re gaining some privacy. But you’re not gaining anything in performance or avoiding spam. Cookies just don’t have much to do with the those.
If you want to find out the nitty gritty details of cookies, Wikipedia has a nice entry on the topic.
