23

I just started to create a new web application. In the documentation, it is written that I have to prepare for the situation where users have disabled cookies. This is not the first time I have read this condition. Can anyone explain me why users want to disable cookies in their browsers?

Krystian
  • 677
  • 1
  • 7
  • 11
  • 2
    That's because they dont want to compromise their privacy by e.g. rejecting cookies until they are not logged-in. – Andrew Smith Aug 10 '12 at 13:08
  • 1
    Just inform the users that cookies are needed to log in. People who use plugins like CookieSafe shouldn't mind turning cookies on for the websites they want to use. – Mischa Arefiev Aug 13 '12 at 11:49
  • According to which documentation browsers should allow users to disable cookies? is there any "RFC X" article? – Amirreza Nasiri Oct 22 '14 at 08:53

4 Answers4

28

Cookies have, historically, been a source of numerous security and privacy concerns.

For example, tracker cookies can be used to identify which websites you've visited and what activities you've done on them:

  1. Site A includes hidden iframe that points at a tracker service.
  2. Tracker service issues a cookie that identifies you, and logs your visit.
  3. Site B includes the same hidden iframe.
  4. Tracker service recognises your cookie, and logs that visit too.
  5. Site A and Site B pay the tracker to get information about what other sites their users visited.

This is just one application. There are other ways to use tracker cookies, some of which allow all sorts of nasty attacks such as identity theft.

Another problem is cookie-stealing, which can be used to hijack insecure (i.e. non-HTTPS) sessions. Using an exploit (e.g. XSS) a page might manage to post another site's cookies back to itself, allowing an attacker to steal your session ID. Turning off cookies prevents this.

Due to these problems, users often disable cookies or block them on certain sites for increased privacy and security.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 6
    Luckily most tracking cookies can be blocked by simply disabling third party cookies. – CodesInChaos Aug 10 '12 at 17:35
  • 3
    Just out of curiosity, is your documentation current? People used to say this 8-10 years ago, but I'd be surprised if any sensible/reputable & modern (post 2005ish) publication still suggested you try and handle this scenario. – NickG Aug 10 '12 at 20:20
  • 4
    Turning off cookies might be good for privacy, but it's probably not more secure. In the cases when your cookies can be stolen to impersonate you, turning off cookies will usually just mean you can't log in. – Ry- Aug 10 '12 at 21:04
  • If you can login even without cookies, it means that the session-id is stored somewhere else (probably in the URL). So unless the XSS exploit is specialised and only "interested" by cookies, it will copy the URL too. – curiousguy Aug 11 '12 at 06:45
21

With tracking cookies, advertisers can track users across different websites and even across IP addresses (e.g. for laptop users). This has been going on since forever (literally since the beginning of advertising networks, like Google Adwords), but recently the media has been inciting the public against those cookies, blaming them as the root cause for privacy violation. It's gone so far that the EU passed something that is supposed to forbid unnecessary cookies without opt-in. Ironically, the Dutch government's website (here the law came into effect a few months ago) doesn't follow the law either.

These cookies are actually, partially, a cause of privacy intrustion. It makes you easy to track, but there are plenty other ways to tell one user from another. Also there is hardly any reason to block this kind of targeted advertising, it cuts both ways, but that's another subject and a hot debate.

Without cookies, you can hardly keep a user logged-in. Give the appropriate error when cookies turn out to be disabled ("You may not be able to log in, cookies are disabled in your browser, click here for more info."), and I think it's case closed. Most other websites like Facebook and Twitter also won't work without cookies anyway.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • 1
    "_It makes you easy to track, but there are plenty other ways to tell one user from another._" People who disable cookies to avoid being tracked either do not understand that, or they simply expect that so few people disable (or often delete) cookies that very few websites will bother with the more complicated tracking techniques. – curiousguy Aug 11 '12 at 02:36
  • 1
    "_recently the media has been inciting the public against those cookies, blaming them as the root cause for privacy violation_" 10 years ago the same "news" articles existed, only a little bit less dramatic. – curiousguy Aug 11 '12 at 06:46
  • 1
    OK, I just read [an article](http://www.lepoint.fr/high-tech-internet/amende-historique-infligee-a-google-pour-espionnage-09-08-2012-1494513_47.php) where cookies are defined as "small spy software". – curiousguy Aug 13 '12 at 19:06
9

The most common reason is that they've done it accidentally and have no idea they've done it (see paragraph 4 below).

Second most common reason is privacy (paranoia?). Some people are anti-tracking at any expense. I tend to find they don't really understand what cookies are in this instance. More likely they just think "tracking is bad" and turn them off - without having any idea for instance, what the difference is between session cookies, 1st/3rd party cookies etc.

However more importantly, I do not believe it's realistic to account for the situation where a user has disabled cookies on anything but extremely basic websites. It's not possible to avoid using cookies (or an URL based equivalent) in anything other than a basic website with very little user-interaction other than following links to static content. You can forget about logins and shopping baskets, because to create those, you need at least a session or a cookie (and session tracking requires a cookie, or URL equivalent).

In 12 years as a website developer, the only people I've ever encountered who have disabled cookies, have it done it accidentally. With NO exceptions, this is because they've been in the settings screen of Internet Explorer and thought that pushing that security/privacy slider up to "High" has got to be better than "Medium". In all cases, they've put it back down to medium, once I've pointed out what effect it has and how many websites it breaks. Often the user has installed a second browser, believing their original browser is "broken" as no websites work with it. As such I believe it's important to tell users they have cookies disabled (using a suitable detection method) if you have a high traffic site.

You an avoid using cookies by storing a unique ID in the URL (.NET and other frameworks suppport this natively) but I believe this simply moves the problem to the URL - and paranoid users may be put off by a URL which is clearly tracking them. Be sure to ensure that if you come up with a homebrew method of doing the same thing, that any URL IDs are tied to the users IP address. If not, you will create an extremely easy method for session hijacking - as a user simply sending a link, will acquire the session state of the sending user.

The vast majority of major websites which require a login, or have a shopping cart function require cookies to work and I do not think it's sensible to try and work around this. You're probably talking of a tiny fraction of 1% of users who have cookies disabled. Ignore stats produced from automatic systems like WebTrends as these will include things like web-crawlers and bots which do not (and have no need to) support cookies, as this will give you a falsely high reading of the number of users who've disabled cookies. You're certainly talking more like 1 in 5000 rather than 1 in 10 users who've disabled cookies and actually still expect websites to work :)

NickG
  • 199
  • 4
  • "_without having any idea for instance, what the difference is between session cookies, 1st/3rd party cookies_" I am not sure I know what a 3rd party cookie is: is there an agreed on definition? – curiousguy Aug 11 '12 at 02:32
  • @curiousguy: [See here to see what is the effect when 3rd party cookies are disabled](http://security.stackexchange.com/a/76709/8340). – SilverlightFox Feb 02 '15 at 14:20
  • Err..i would not be so sure that few people disable cookies , i myself have been living with cookies disabled for centuries and i bet much more people do the same , thete is a thing called "whitelist" that let you choose explicitly what sites you want to permit cookies to be logged in and if an useless site or etc requires cookies i will avaible how much i want/need to use the site? Not that much ? I'll just close the tab and forget it – Freedo Feb 04 '15 at 13:15
  • @Freedom - no you haven't. Computers haven't even existed for "centuries". The vast majority of websites do not even work without cookies these days – NickG Feb 19 '15 at 14:23
6

In the documentation, it is written that I have to prepare for the situation where users have disabled cookies.

Being "prepared" is not the same thing as making a fully functional login system that works without HTTP cookies.

Users may turn off HTTP cookies to avoid "being tracked"; in this case, you could think of using another approach for session management, like using a secret URL. Keeping the session ID in the URL has some security and usability merits, but also really serious security and usability issues, and this message is not recommending this approach. Because the question was not about the security of keeping the session ID in the URL, I do not want to discuss this (interesting) issue here.

The issue is not just technical, it is an acceptability issue: if the user voluntarily turn off cookies, you can bet he does not want to be tracked. Trying to get around the blocking of cookies (even "for his own good") is very likely to upset him.

Instead, you can explain users that only session cookies are needed for session management within your Web application, and that it is possible to automatically erase all cookies when the browser is closed.

curiousguy
  • 5,028
  • 3
  • 25
  • 27
  • 1
    Keeping the session ID in the URL is not a good idea, unless you generate session IDs based on IP address *and* OS *and* browser *and* all other information you can gather, and immediately terminating the session if *any* of those doesn't match. Otherwise a single shared link (or even a single *visited* link — Referer will have the SID) may compromise the account. – Mischa Arefiev Aug 13 '12 at 11:48
  • "_Otherwise a single shared link (or even a single visited link — Referer will have the SID) may compromise the account._" It is the responsibility of the user to not share links pointing to his personal account, and it is the responsibility of the webmaster to avoid any direct external links on such pages; redirects are still possible. Also, if the information has any value, it should be transmitted via HTTPS, and `Referer` is usually suppressed in this case. – curiousguy Aug 13 '12 at 17:57
  • @MischaArefiev Using cookies for session-id is also a "silly" idea. It is all kinds of specific flaws, which are **very difficult** to avoid. OTOH, making a Web page with no external links at all can be easily done. – curiousguy Aug 13 '12 at 18:05
  • "_Keeping the session ID in the URL has some security and usability advantages, and also really serious security and usability issues._" Is that not clear? **I was NOT recommending the use of session-ID in URL.** I very clearly said the contrary. – curiousguy Aug 13 '12 at 18:34
  • 1
    I have edited my answer to make it even more clear that **I did not recommend the session-ID in URL approach here**. – curiousguy Aug 13 '12 at 18:40