Associating Data with Cookies

A couple of problems arise when using cookies to match a browser with state data stored on the server. First, most—if not all—browsers have an option to refuse cookies. For example, you can turn off cookies in Internet Explorer (IE5) by clicking the Tools menu and then selecting Internet Options ® Security tab. You then select a zone—for example, Internet, Local Intranet, Trusted Sites, or Restricted Sites—and click the Custom Level button. That brings up the Security Settings dialog for the selected zone (see Figure 7.1).

£]'IWWViU.IWfcfTfrTIÜ Jlwcdi

Figure 7.1: Cookie options available through the Internet Explorer 5 Security Settings dialog

There are two types of cookies: those stored on your computer's hard drive, usually called persistent cookies, and those stored in memory, usually called transient cookies. The IE Security Settings dialog uses the terms "cookies stored on your computer" (persistent) and "per-session cookies" (transient). Regardless of the browser type, the basic options for each type of cookie are as follows (different browser versions implement different cookie options):

Disable The browser won't accept that type of cookie, and the browser won't alert the user before rejecting the cookie.

Enable The browser accepts that type of cookie and doesn't alert the user before accepting the cookie.

Prompt The browser will alert the user whenever a site sends a cookie, and the user must accept or reject the cookie.

Other browsers have similar, although not identical, options. For example, Netscape 6 has enable, disable, and warn options, as well as letting you enable cookies for the originating Web site only— meaning that the browser won't accept or return cookies from an associated Web site, such as an ad-generating site (see Figure 7.2). In reality, most people either accept or reject cookies—the act of providing a cookie has become so ubiquitous that selecting the Prompt option is just too annoying.

C ¿fte g a m


AppuflPfhw fpnl*

Cofari ífrprnp; ■w Naviprtpr «¡Sterj L -3 r. ij i.i -s g F r-Mijipc-r Application; Smart DroMSJfig rníí-nvt rLJijr,+, ] fr -Cp-npDser v Advanced

Caakipri arn ■¡•tin- rif inferir iter üiai i em? Hnh ufe» l

■ssk io 5t&<-e mi vour carrcutfr. rf you en-abb cookies, your biLi-^iàr mili uctfrt á web í-nt's GMkÍAS «uteenaik^Rr *riHi ÏÙU viih tt-r» (Illa. '.-IIL+" .nnl r l nrr i«AE baii: Ss ihi wib krtf an fijtí« ils-tí,

Q Enable cookies f&rthe arm n.stjng w*ftíií anlj QDiMfel« M^iift

□ *'ÉH- .'Mt ÜDÍuríi jto/mg > ÍÚúklt



Salteare- IWrt-slletean.

House Wtwei Desktop Integraban

i ¿vw^tandccctcjh ¡ i m-acs¡.nearn*m ]

Figure 7.2: Cookie options available through the Netscape 6 Preferences dialog

Cookies weren't originally meant to be "misused" by passing values among multiple domains, but data gathering by advertisers has made such use widespread. IE6 includes even more cookie options—an attempt by browser makers to let users regain control over their information (see Figure 7.3).

Figure 7.3: Cookie options available through the Internet Explorer 6 Internet Options Privacy dialog

Second, users can see the cookie values. Windows stores persistent cookies for each user in a special Cookies directory, so users can always view persistent cookies, but they can see any cookie by temporarily selecting the Prompt (or equivalent) option in their browser. Being able to see the cookie isn't always helpful, though, because many sites don't send cookies in plain text form; instead, they send encrypted cookies or put binary information into the cookie that shows up as meaningless symbols in a viewer program, such as Notepad. It can be difficult to determine the purpose of even unencrypted, plain-text cookies. For example, here's the content of a cookie file from my computer:

BSESSIONID g0owne23a1 0

4372144144 21419871 3073552328 39418852

Note In Notepad, the cookie content shows up as one long string. I've separated the parts to show you that even when you know what the parts are, it's often difficult or impossible to tell what the data represents.

With few recognizable dates or names, it's nearly impossible to tell exactly what the site is saving, which makes people nervous and often causes them to turn off cookies altogether—and that causes problems for server applications that need to maintain state data on the server. If the browser rejects the ASPSessioniD cookie, the server cannot recognize that multiple requests from that browser represent the same browser instance. To the server, each request will appear to be the first request by that browser.

ASP.NET applications try to use cookies first, but if the browser won't accept cookies, your application can switch to inserting the ASPSessioniD value into the URLs instead, a process called munging the URL.

Was this article helpful?

0 0

Post a comment