Sunday, June 19, 2005

cookie? no, thanks.

Marketers are getting their knickers in a twist over people like me who delete their browser cookies - they are even marketing the idea that cookies are good for you. I call bullshit on that. I believe that the prevailing browser cookie models are broken, and this is probably going to turn into a long-winded explanation of why I believe that and what I think can be done about it. Non-nerds are free to leave at any time.

Most browsers give you some control over how cookies are stored on your machine. There are usually permission options and persistence options:
  1. deny all
  2. allow all
    1. Scope:
      1. for all sites
      2. for originating site only
    2. Persistence:
      1. for all time
      2. for this session only
  3. ask every time
    1. ask for each cookie
    2. apply choice to all cookies from this site

Some of these options are trivial - allowing all cookies or denying all cookies require no further input from the user. But if you choose to be selective about which sites store cookies on your machine, you quickly run into options that don't make much sense. For an example, suppose you choose to have the browser ask you every time: if you allow the cookie, you get a cookie. If you disallow the cookie, you basically get an antimatter cookie, a sort of meta-cookie that blocks further cookies from that site. In effect you are blacklisting the entire web, by hand, one site at a time, when what you really want to do is whitelist the few sites to whom you wish to allow free cookie privileges.

Some sites don't function well, or at all, without cookies. Many don't require the cookies to persist across sessions, but within a single session they use cookies to track state changes - you added an item to your shopping cart, you logged in to your email account, whatever. Since these sites are becoming more prevalent, turning off cookies entirely doesn't seem to be an option, so at the very least enabling cookies for session-only persistence can save you a lot of hassle. For the majority of sites, session-only persistence is also the very most access that needs to be enabled... if you 'surf' the web you visit hundreds of sites you'll never see again, and there is no reason to be storing all of their cookies unles you are specifically trying to help the data-miners target you.

For commonly used sites, it would be (and is) nice to have cookies that persist across sessions. What is needed is a simple way to elevate the cookie privileges of a specific site, and by simple I don't mean "navigate through three layers of menus and then plow through the list of blocked sites to unblock the one you want", which is the way most browsers handle it. So, finally, my proposed solution:
  1. Set all cookies to 'session only'.
  2. When a site sets a cookie, a little cookie icon is activated on the toolbar.
  3. If you decide you want cookies from that site to persist across sessions, click on the cookie icon and that site will be added to the whitelist, subject to your other permissions (i.e. 'all cookies' vs 'originating site only')

This setup has the advantage of only storing cookies for sites you authorize, without bugging you all of the time. Plus the marketers take it in the shorts... it's a win-win situation :).

I guess I need to dig into the Firefox code and see if I can implement this instead of just bitching about it. Another day, another post.