Security

Paranoid cookie management

How much paranoia you employ in Web cookie management determines how much work you must put in, and which strategies you'll use.

Most people don't do any cookie management with their Web browsers at all. The browser just accepts all cookies and saves them until they expire -- if ever. There was a time when it seemed like everyone was worried about tracking cookies, but that time appears to have passed.

Some still try to maintain some control over cookie handling in the browser, however. What they consider an effective cookie management strategy varies significantly from one person to the next, however.

Cookie Management Strategies

Deny All Cookies

A simple (but inconvenient) approach is to simply disable all cookies all the time. Of course, this makes it extremely difficult to do things like log into Websites that require cookies. Worse yet, some Websites refuse to work properly at all. Try visiting a Weblog with a custom domain name hosted by WordPress.com, for instance -- with all cookies denied. The site will enter an infinite loading loop, essentially telling people who deny all cookies "We don't want you to visit our site."

As pointed out in required cookies == bad design, this is a bad way to run a Web site, and I picked on WordPress.com hosting in particular with wordpress.com != good domain hosting. None of that changes the fact that sometimes one might want to visit a site hosted by WordPress.com though, to say nothing of the desire we might have to log in at TechRepublic, which means that for many of us simply denying all cookies all the time might prove suboptimal.

Clear Cookies on Exit

Another simple approach is to configure the browser to clear all cookies on exit. While it doesn't do much for dealing with undesirable cookies during the current browsing session, it ensures that if you want to log into a somewhat questionable site after having logged into your bank's site, you can do so without your bank's login cookie being in any danger of somehow getting harvested by the more questionable site. All you have to do is close the browser when you're done with the bank site, then open the browser again before going to another site.

This can prevent you from being "permanently" logged in to some Websites, which is problematic for the way some people work. If you want to be able to fire up the browser and navigate directly to the TechRepublic Website without having to explicitly log in, allowing cookies to persist between browsing sessions can ensure you can just jump right into discussion without entering your login information every time.

This approach also protects your system from snooping by others with physical access to the computer, especially if it clears history as well as cookies.

Privacy Mode

Web browsers are starting to provide privacy, or "incognito", browsing modes. These create tabs or separate browsing processes in which cookies and history will be kept separate from the main browsing process(es), and cleared when you're done. When exiting the private browsing mode or tabs, you still have your browser running with normal configuration and any tabs you were previously using still open. You can still be "permanently" logged into any Websites you like, as long as you don't log into them in privacy mode.

This is also more convenient for dealing with local snoops, as any Websites you don't want others knowing you visited will not have cookies and history saved as long as you only visited them in a privacy mode. Meanwhile, the rest of your browser's cookies and history will be managed as normal.

Deny Third-Party Cookies

Some browsers provide the ability to accept first-party cookies, but not third-party cookies. In general, denying third-party cookies (and scripts and so on) seems like an excellent idea for security. Unfortunately, in the real world, things are simply not as straightforward as we might expect. Many Websites may actually use login cookies issued by differing subdomains, such as handing out login cookies from login.example.com when you want to log in at www.example.com, and if you deny all third-party cookies you may find you simply cannot log in at www.example.com at all.

The same sort of problem often arises with regard to accepting or denying third-party JavaScript and other denial of third-party functionality, even if XSS vulnerabilities makes you want to run screaming from third-party scripts.

Fine-Grained Control

Some browsers provide extremely fine-grained control of cookie management for those who want it, but the more fine-grained it is the less you can automate it in most cases. Firefox is an excellent example of this, where you can get per-cookie micromanagement, but the only rules you can define for which cookies Firefox should accept or deny in the future are per-domain rules, thus leaving a lot of the work in the user's hands.

The Bottom Line

Of course, some Web browsers offer extension systems, and some of the extensions available for your browser may provide additional cookie management capabilities. Meanwhile, some browsers offer fewer cookie management options than others. This is the case with Google Chrome, which so far doesn't offer the fine-grained cookie management you can get from Mozilla Firefox -- one of the very few advantages Firefox has over Chrome, if you overlook the sheer number of extensions available for Firefox versus Chrome's extension system (which is currently only avialable in a developer preview of the browser).

Still more options may be available, depending on which browser you use. Which options you'll select will depend on how much practical paranoia you employ.

Of course, none of this helps at all with Flash cookies.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

5 comments
radar_z
radar_z

I use Firefox and allow cookies, but when I try to log onto Tec h Republic I get a message that says my browser does not accept cookies. Thus I have to use IE 8 in order to log onto Tech Republic. Any ideas as to why Firefox makes Tech Republic think it does not allow cookies? Thanks.

bboyd
bboyd

If I find need they go on a very short white list. Google is not on that list. Not practical, it's practiced. Now if i could get site to stop using flash I might save my butt from LSO's since that deny all doesn't work as advertised. Reduced to white listing via No-script and destroying the remains on CCleaner. Individual rights can only be protected by that individual.

apotheon
apotheon

Which cookie management strategy do you use?

apotheon
apotheon

There's a Flashblock plugin for Firefox. Give it a try.

JCitizen
JCitizen

Sorry it took so long for me to arrive at this discussion!! "The economy" has me hopping! MBAM does block some of them, but I use FireFox a lot, and would have preferred splattering them before their self-spawning scraggly dim-wits get on the computer in the first place!

Editor's Picks