Fog Creek Software
Discussion Board




To cookie or not to cookie...

I went looking for a data projector today and came across a  website for Harvey Normans (a large furniture, electrical applicance and IT chain). It wouldn't  display at all because I didn't have cookies enabled and gave me the following message.

http://www.harveynorman.com.au/

<EM>
You cannot access the Harvey Norman web site as your browser does not appear to be set to accept cookies.

Cookies are used on the web site so that we can provide you with the best service and access to great discounts.

Otherwise, if your browser is configured to accept cookies, please try closing and re-opening your browser and returning to the site.
You do not have to close your Internet connection.

We apologise for the inconvenience.
</EM>

IMHO that's just crazy! It would seem that they want to track your interests, etc, so badly that they won't even display their products unless they can.

A side point is that I haven't even got cookies disabled. I'm just using Opera which seems to confuse some sites.

Jack.

Jack of all
Wednesday, August 27, 2003

I agree.  That's over the top.  If you have cookies disabled, you shouldn't be able to use parts of the site that REQUIRE cookies but the rest of the site should be viewable.

Almost Anonymous
Wednesday, August 27, 2003

It's quite difficult to make a working shopping cart without cookies. Given that 99.99% of users do have cookies enabled, it's hard to justify any expense of making a web site work without cookies.

Joel Spolsky
Wednesday, August 27, 2003

"Given that 99.99% of users do have cookies enabled, it's hard to justify any expense of making a web site work without cookies."

Pretty much all websites work without cookies.  Sure their shopping carts won't work -- but putting the warning there seems more appropriate.

Almost Anonymous
Wednesday, August 27, 2003

"Pretty much all websites work without cookies.  Sure their shopping carts won't work -- but putting the warning there seems more appropriate. "

I completely agree. The other point is that I might just be interested in browsing if they do have a product available (and its price) and then just walk to their shop (which, by the way is only two blocks from my office) and buy it without the need to wait for them to post it to me. Just like watching and add in TV or some of the junk mail that clogs my mailbox. Are you ever asked for your ID just to pick up a catalog from the shop?

uncronopio
Wednesday, August 27, 2003

The site in question is using ASP/IIS, which uses cookie
to do session management.

If they do use the Session API to generate dynamic
content and you disable cookie, the behavior can be
unpredictable.

I guest they are just adhering to the adage of
"No information is better than wrong information".

Amour Tan
Wednesday, August 27, 2003

> Are you ever asked for your ID just to pick up a catalog
> from the shop?

Paper catalog is different from digital catalog.  Web-base
catalog is sometimes dynamically generated base on
your past buying pattern.

Amour Tan
Wednesday, August 27, 2003

So if you don't have cookies enabled, it should just act like you've never bought anything there.  Which is probably the case, or you'd have enabled cookies for that site.

rob mayoff
Wednesday, August 27, 2003

The first page (home page) will not have a difference.
But subsequent pages might need session information
fed from previous pages.

Amour Tan
Thursday, August 28, 2003

Session id's can work here too, though I think they're pretty annoying.. basically the cookie, but in the URL.

www.url.com/page-something.asp?s=ase5se7324wq36754346raz46

www.marktaw.com
Thursday, August 28, 2003

I have also noticed that a few sites tell me I don't have cookies enabled, when I most definitely do have them enabled. As much as I love Opera, it's a pain when you hit a site that does this.

I suspect that since cookies work correctly in Opera on most sites, it must be an outdated browser-detection script on the web site.

Troy King
Thursday, August 28, 2003

End-users should not have to care if the shop uses ASP/IIS or any other technology; that is not their problem. Imagine that a shop asked you to show that you are carrying your wallet before allowing you inside the premises. Thus, why would you impose technological limitations that are unrelated with the ability of the customers to purchase the goods and services? Particularly in this case, when there is a bricks and mortars presence and a customer might use the web as a way to make a decision before forking out the cash in one of the stores.

uncronopio
Thursday, August 28, 2003

"Session id's can work here too, though I think they're pretty annoying.. basically the cookie, but in the URL."

Yeah, unfortunately, it means that passing along URLs isn't safe. Someone gets to jump into your session because you sent them the URL with the session ID in it. Not good.

Honestly, there's an awful lot of whining in this thread about cookies. If someone has disabled SESSION COOKIES, then in my opinion, they get no sympathy from me for not being able to browse a site.

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, August 28, 2003

Some stores do require 'idenitification' before allowing entry. Here in NJ we have several wholesale clubs that require an ID to enter the store. In NYC certain stores (around  32nd or so) do not sell to end consumers thus when you purchase you must have a taxid for them to use. Where I work we sell to both sets of customers, end users and resellers (companies with taxids, not that we can verify them but thankfully all the IRS cares about is that we collected them if the person uses a fraudulent taxid that is their problem not ours). So we are working on a site where you can only see the prices once you have entered your taxid and logged in. (This is also to combat MAP pricing rules, being able to sell an item for one price but not being able to advertise the item at that price.)

There is also another pricing schema that exists for certain stores like Best Buy. (right now the isles leading to the TV/Flat Panel section in the back right of the store is lined with ton of sales items, why everyone is going to that corner to look at the TVS) They make a lot of their money on the sale of shelf location, so within their stores they do a decent amount of foot traffic analysis so they know how much to charge for a certain location on a shelf. So if a company makes its money on its website by this same method they may be very interested in who goes where on the site and how often so they know how much to charge for the location of the item. To do this tracking long term they use cookies. In the store they do this tracking via repeat credit card charges (you know where someone went in part based on what they bought).

Unfortunatly the best way to provide this service is to use cookie based sessions. I think the problems with the sites above is that they were not designed well to deal with the person that has them turned off or is using a device that does not even support cookies.

I just wish there was a better way to provide session state in a more user friendly and less abusable way.

Jeff
Thursday, August 28, 2003

> Yeah, unfortunately, it means that passing along URLs isn't safe. Someone gets to jump into your session because you sent them the URL with the session ID in it. Not good. <

Yeah I thought about that.. The session ID could expire... could also check your browser, OS and IP address - if any changes then show the generic version of the page.

If the purpose is to customize the page for you, then without cookies is fine... nothing personally identifiable there... unless you're on a site like amazon and you surfed from "The Story of O" to "Management for Dummies" and fowarded the link to your friend who could somehow find out where else you'd been.

A shopping cart needs to be more secure though.

Here's an idea... wouldn't an SSL connection - necessary for the shopping cart anyway - keep your browser uniquely identifiable to the server? No.. this must not work because I worked on a banking site and they had problems with cookies as well.

www.marktaw.com
Thursday, August 28, 2003

I posted on the using ip address aspect for idenitifcation here in the past. It is a no go. Certain users IP addresses change from minute to minute, AOL and Bell South DSL users are bothering me the most with this. That and the IP address can be faked on the client side so it is not to be trusted. The fact that people send links to other people via IM and email makes it so two people can get the same link before it times out. You need to use a cookie to detect a change in location.

Jeff
Thursday, August 28, 2003

For an ssl connection to idenitify a user in a unique way they need to have a personal certificate, not the easiest thing to setup for the end user. That and they have to setup that certificate on every machine they want to use your site with.

Jeff
Thursday, August 28, 2003

Don't use cookies in web development. Cookie can simplify user identication on the server side, but also create new security problems. Don't put any sensetive information into cookie since it is only BASE-64 encoded text.

Someone here wrote that shopping cart requires cookie. It depends on the implementation. For example, our on-line shoppping solution don't use cookies, of course the user should login to access his/her shopping cart, saved in the database.

Evgeny Gesin /Javadesk/
Thursday, August 28, 2003

"That and the IP address can be faked on the client side so it is not to be trusted. The fact that people send links to other people via IM and email makes it so two people can get the same link before it times out. "

You can't spoof an address in a TCP connection (well without breaking in to the hosting provider of the company in question or altering global routing tables): Packets have to be routed both ways. UDP can be spoofed but that's not the point here. Regardless, I agree that monitoring users by IP isn't effective as there are mega proxies with millions of users coming from a couple of IP addresses (often with a single user jumping between them).

Having said that, disallowing someone from seeing a whole site because they don't have cookies enabled is LUDICROUS (and I can't believe that Joel agreed with it...this is completely one of those egotistical developer things where a developer is imposing something completely unnecessary). The person didn't even try to order something (though ordering could be facilitated through hidden form fields if the development group wasn't incredibly lazy. As mentioned it could also embed the session key in the URL, which .NET offers), but just wanted to browse the site -- There is no need for cookies.

Dennis Forbes
Thursday, August 28, 2003

>I have also noticed that a few sites tell me I don't have
>cookies enabled, when I most definitely do have them
>enabled. As much as I love Opera, it's a pain when you hit a
>site that does this.

I'd guess that these sites use Javascript to set cookies, and you've disabled that feature in your Javascript security settings.

Same thing happened to me just the other day.

Michael Eisenberg
Thursday, August 28, 2003

Complaining about cookies is so 1999. Just deal with it, or only enable session cookies.

Meine Hosen sind hervorragend!
Thursday, August 28, 2003

The humorous thing is that your "deal with it" attitude is what's REALLY a sour remnant of 1999 - The era of sites that insist you have cookies, Flash, images enabled, running in IE x.x or it just won't work and the user is shuttled off to a "go upgrade and come back". The pathetic remnants of the .COM bubble when the "What we're doing is so amazing and so cool, our customer can adapt to us" thought process ruled the day.  Nowadays, you know 2003, most sites can be navigated with ease with Lynx, or virtually any other browser. Technologies such as .NET adapt to the capabilities of the client, including cookies, seemlessly providing information and functionality for the breadth of possible client platforms.

Anonymous Cowboy
Thursday, August 28, 2003

Evgeny, you said your shopping cart software doesn't require cookies. So they log in to get their account. How do you know which user is hitting a certain page in that same session? Are you adding a session id to the URL or something?

Troy King
Thursday, August 28, 2003

*  Recent Topics

*  Fog Creek Home