Enterprise Software

Don't fight cookie battles; control them with IE6

Cookie management has become a much bigger issue in Internet Explorer 6 than it ever was in previous versions. In this article, Brien Posey shows you how to manage cookies and how automatic cookie management works.


I’ve always looked at cookies as a mixed blessing. There’s little doubt that cookies can be handy. For example, I have absolutely no idea what my user name and password are for the TechRepublic Web site, but I don’t have to know because the Web site uses a cookie to automatically log me in when I visit. However, there are a lot of other sites out there that you probably don’t want placing cookies on a user's machine. So, to help you manage cookies for your organization, I’ll discuss how Internet Explorer 6 (IE6) deals with them.

Deleting cookies
If you open IE6 and select the Internet Options command from the Tools menu, one of the first things that you’ll notice is the Internet Options sheet’s General tab now contains a Delete Cookies button, as shown in Figure A. This button allows you to get rid of every cookie in your profile (but not cookies for other users) in one quick click. I recommend, however, that you use the Delete Cookies button sparingly because quite a few Web sites that you visit on a daily basis use cookies for legitimate purposes.

Figure A
The Delete Cookies button allows you to quickly remove all of your cookies.


The Privacy tab
As you might recall, IE5 relied on security zones for privacy. So, the way that IE5 dealt with cookies was based upon the security zone that a Web site fell into and the security settings for that zone. For example, by default, the Internet zone is set to use a Medium security level. Under the Medium security level, cookies and per-session cookies are permitted. Even if you apply custom security settings, cookies are either allowed or not allowed depending on your setting in that particular security zone. There was no option to gain tighter control over cookies.

Notice in Figure A that the Internet Options sheet contains a tab called Privacy that didn’t exist in IE5. Although IE6 still uses the concept of security zones, it has moved cookie control from the Security tab to the Privacy tab.

As you can see in Figure B, setting the privacy level is similar to setting a zone security level. You simply move the slide bar to the desired security level. Beneath the security level is a description of what the security level does and doesn’t allow. For example, the default setting is for medium privacy. As you can see in Figure B, this setting blocks third-party cookies that do not have a privacy policy or that use personally identifiable information without your explicit consent, and it restricts first-party cookies that use personally identifiable information without explicit consent.

Figure B
You can use a simple slide bar to set the level of privacy you desire.


Custom privacy policies
Obviously, having this much control over cookies is a big improvement over IE5. And, you can exercise even more control over cookies by creating a custom privacy policy. Click the Advanced button, which will display the Advanced Privacy Settings dialog box (Figure C). Once you select the Override Automatic Cookie Handling check box, you can set IE to accept, block, or prompt you when a Web site uses either first-party and/or third-party cookies. You also have the option to always allow session cookies.

Figure C
The Advanced Privacy Settings dialog box allows you to create a custom privacy policy.


Cookies on individual Web sites
At the bottom of the Privacy tab is an Edit button (see Figure B) that you can use to override cookie handling for individual Web sites. When you click the Edit button, you’re presented with the Per Site Privacy Actions dialog box, as shown in Figure D.

Figure D
The Per Site Privacy Actions dialog box allows you to manage cookies on a per-Web-site basis.


This dialog box allows you to enter a URL and then click either the Block or Allow button to convey whether or not the specified site is allowed to use cookies—a rule that takes precedence over any settings found in your privacy level or in a custom privacy policy.

If you later decide that a permission or denial was inappropriate, you can get rid of it by selecting it from the list of managed Web sites and clicking the Remove button. You can also use the Remove All button to completely clear the list.

The future is in P3P
Notice in Figure C that one of the check boxes is labeled Override Automatic Cookie Handling. At first you might not have thought anything of this wording. However, IE really does perform automatic cookie handling.

Automatic cookie handling is based on the P3P protocol. P3P is an Internet standard that is still under development. The idea behind this protocol is that based on minimal input from the user, P3P allows the computer to make complex decisions on the user's behalf.

Although automatically controlling cookies is a complex operation, the idea behind it is relatively simple. IE selects an XML policy based on where you position the privacy slide bar. For example, if you select a medium privacy level, then IE will use an XML file that describes the medium privacy policy in a way that P3P can understand. You can see a P3P excerpt from such a policy by clicking here.

But P3P wasn’t just designed to handle cookies. It can be used to control the settings for the entire Internet experience. Therefore, you can expect the P3P code in future versions of IE to grow increasingly more complex as more and more policies are controlled by XML code.

Editor's Picks