Tuesday, April 26, 2005

moron cookies

So I'm still tweaking my web browser, trying to find the most hassle-free configuration... lately that mostly means trying different approaches for handling cookies. I've run into a problem that is fixable, but doesn't appear to actually be fixed in any of the browsers I've checked.

The problem is related to a similar usability glitch in many GUIs: if there is a 'yes to all' option, in almost all cases there should also be a 'no to all' option. In the absence of common-sense options like this we end up clicking buttons like a little crackmonkey every time we shut down a program that has multiple documents open. (And as long as the rant is topical: what the hell is up with dialog boxes that have three different options that all do the same thing, which is usually 'nothing'? More crackmonkey reflex exercises?)

In the case of browsers and cookies and GUIs (mmm... gooey cookies...) we're usually given a couple of options: reject all cookies, accept all cookies, or ask the user every time.

'Reject all' doesn't work, because some sites (your bank, for instance) require cookies for state-tracking. 'Accept all' doesn't work, because you end up with five million cookies for sites that you will never see again; they may not help you much but they sure help the marketers target you more effectively. The final option, 'ask the user', has it's own subset of options with a corresponding subset of problems.

If 'ask the user' is selected, you'll get a popup box asking you what you want to do: accept forever, deny, or accept for session only. There's also a checkbox for making that choice apply to all cookie requests from that site.

'Accept forever' is useful; you know that every time you visit your bank you want it to remember who you are, so you give them free rein. 'Deny' and 'Accept for session', however, suffer from a number of problems. First, 'Deny' gets stored forever, which means accumulating cruft. 'Accept for session' seems useful, but once again it becomes a static setting, always accepting cookies but not retaining the actual data from session to session.

One hitch is that some particularly problematic sites create cookies for multiple domains (a simple case: hitcounters), but when you deny the cookie from the original site it still asks you about all of the others. So a 'deny' should apply to all subsequent requests on the same page, regardless of the initiating domain. To my knowledge no browsers have this functionality.

The solution that seems best to me would be something like this: all cookies are rejected, period, or are sent to a bit-bucket that is cleared when the browser is shut down. If you get to a site that needs persistent cookies, you can hold down CTRL while refreshing the screen (or some similar mechanism), and that site will get added to the whitelist. Maintaining a blacklist is just plain stupid, it's a problem without bounds.

So far in my experience Firefox has the best cookie-handling heuristics. The biggest lack I have seen is that the cookie list doesn't do wildcards. So, for instance, you need to 'deny' cookies for all 12000 of certain asshole companies' servers. It's gotten so bad I'm considering proxying them right off the damn net.

Wow, that was a long way to go and still not have a point.