This site, which currently is just the one page, is still being worked on. The content needs to be completed and then refined a bit, and then I can look at tarting it up a little. Please bear with me.
This page has been written to provide information about cookies and cookie usage for a number of websites that I have created and maintain for myself. Specifically it applies to sites on these domains:
The information is based on personal knowledge and research, and on the results of cookie audits on the sites concerned and also a number of others that I have created and maintain for other companies and organisations (these sites previously referenced this page). I have aggregated the information taken from or required for all the sites in order to be able to one consistent resource that I feel I can maintain to a higher standard.
Oh and no cookies are used or set by this site (though if you have read other sites hosted on the
anidea.co.uk domain you may have received first party cookies and your browser will probably have sent them to this page). There isn't any logging or anything beyond the bog standard web server logs which will just contain anonymous data and I'm not sharing that with anyone else.
Opinions vary as to how much internet users actually know about cookies, but it is always handy to provide a bit of background information. If you want more information the Wikipedia article really isn't bad at all, and there is also a site called All About Cookies that gets referenced a lot that also covers how you can manage them. Another site, which seems to be the preferred one to refer to for UK sites, is AboutCookies.org.
A cookie is simply a small piece of data that consists of a name / value pair, plus some metadata which sets attributes for the cookie, and is completely harmless in itself. It is how it is used that can sometimes be of concern.
It is important to emphasise that your browser has full control of the cookie handling process. Although we commonly talk about web sites setting cookies they are actually only making requests that they be set, it is your browser that is actually setting them. Unless you have a particularly stripped down browser on a mobile device, you generally have quite a lot of control over which cookies it should accept.
The most important attributes to know about are the 'Domain', 'Path', 'Expires' and 'Max-Age'.
In considering the Domain and Path I'll use the example URL
http://cookies.anidea.co.uk/myfolder/test.html (that page doesn't exist, by the way).
If I set a cookie on the example page the default value of the Domain would be
cookies.anidea.co.uk and the Path would be
/myfolder. A correctly behaving internet browser will send that cookie with requests for any web page where the hostname part of the URL ends with the Domain and the path part begins with the Path. So, for example, the cookie could be sent with a request for
http//anything.cookies.anidea.co.uk/myfolder/test.html but not for
http//test.anidea.co.uk/myfolder/test.html, and similarly it could be sent to
http://cookies.anidea.co.uk/myfolder/anotherfolder/ but not for
OK so that is good, but not necessarily as useful as it might be as some sites refer to their sites by different sub-domains and in particular it is very common for the same site to be accessible as either
http://www.<domain>/ or simply
http://<domain>/ (I tend to force one or the other where I can, and prefer the form without the leading
www). It is very common to see the Domain set to e.g.
.anidea.co.uk (they do the same thing but the latter is often seen because a now deprecated standard required the leading dot and there is no point in removing back compatibility with old browsers unnecessarily). Similary it is common to see the Path set to
/ so the cookie will be sent with every page request to the site.
Returning to the other attributes, Expires specifies a date and time when the browser should delete the cookie, and Max-Age is an alternative that allows the expiry time to be specified as a number of seconds from the time the cookie is set.
If the cookies doesn't have either of the above attributes it is known as a session cookie. In this context you are effectively defining what a 'session' means by how you use your browser. The session cookie will stay until you close your browser, at which point it should be deleted. Session cookies are potentially useful because the HTTP protocol is 'stateless'. What this means is that every request you make for a web page is a completely separate and the web site can't know that any two or more page requests both come from you unless it maintains its own state somehow. Cookies are one way of acheiving this.
Session cookies are all very well, but it is often useful to be able to store information after your browser closes. For example supposing you close your browser, realised you've forgotten something and immediately relaunch it and go back to the site you were viewing. Any session cookie you had will have been deleted so the web site would not realise you'd come back and would have to treat you as a new visitor. The alternative would be a persistent cookie, which is one where either the Expires or Max-Age attribute has been set to define a 'lifetime' for the cookie.
When I see a persistent cookie with a lifetime measured in hours I tend to think the purpose of the cookie will be similar to that of a session cookie, though that may be a hopeless generalisation. However it is also common to see persistent cookies with a lifetime of one or two years (and you do see them with lifetimes far longer than that) and they will typically have a different function. There they will tend to be more for recognising you as someone who has visited the site before. An obvious example of that would be in analyzing website usage where you might want to better answer questions like 'how many regular users do we have, and how many come to our site and don't come back?'.
It is important to remember that unless you have authenticated in some way with a site, these persistent cookies are only likely to be able to identify you in an anonymous way. In fact rather than any 'personally identifiable information' about you, about all they can identify is a particular browser being used on a particular user account on a particular machine, and they don't know who is using the browser at the time.
When you see a long lifetime on a cookie it is quite likely an indicator that the site would basically like to have a permanent cookie but there are no such things. As cookies can simply be refreshed every time a site is visited the lifetime simply has to be long enough for the cookie to persist between visits. A lifetime of a year might gain nothing over a lifetime of a month, but on the other hand it does no harm either and makes it more obvious what is going on.
When talking about cookies the term 'first party' usually means the web page you are viewing, the 'second party' is you the visitor, and a 'third party' is any other site serving content to the page (e.g. advertising or analytics). A 'first party cookie' is one that is directly set by the web site you are using or is set by code in the web page, even if that code is actually downloaded from another site. An example of the latter is Google Analytics. The web site will set a few variables and then read a script from Google, but that script is executed as content of the page and so the cookies that are set are first party cookies. When the web page is including third party content the browser is basically interacting with a different website and any cookies that are set will be be 'third party cookies'.
Persistent third-party cookies potentially allow visitors to be tracked anywhere they go on the internet where the third party content appears.This can actually be incredibly useful but it could potentially be abused and this is where much of the bad press about cookies comes from.
If a web page is written using the PHP language a first party session cookie named PHPSESSID may be set automatically and it will be common for it to be set before you have any chance to accept or reject it. PHP is very widely used and so you are going to see this cookie an awful lot.
The cookie simply contains a unique identifier (32 hexadecimal digits) that can be used for session management within PHP, for example by the Facebook API.
If a site is using Facebook 'social plugins' such as the 'Like button' or 'Like box', or is using Facebook authentication to provide a 'login' to the site then you may encounter third party cookies with the domain set to
.facebook.com. Facebook describe their cookie use in general terms in their help pages. Some information on specific cookies can also be found around the net.
Facebook seems to do different things according to whether or not you are a Facebook user, whether you are logged in, whether you have been logged in and have logged out, and so on, and that makes it hard to tell exactly what is set and when so the best I can do is present a list of the Facebook cookies I have seen in the cookie audits on the websites this cookie page applies to. I wouldn't be in the least but surprised if you encounter some different ones.
|act||session||This contains a timestamp and a sequence number and is apparently used for measuring and optimising the speed of the Facebook site.|
|c_user||session or 30 days||This cookie contains your Facebook userid. It you have chosen to keep logged in to Facebook it has a thirty day lifetime, otherwise it is a session cookie.|
|datr||two years||Identifies a particular browser independently of any logged in user and is used to help maintain site security and integrity, for example by detecting attempts to create multiple accounts.|
|locale||one week||If you are a Facebook user this contains your language and country setting e.g. 'en_GB'. I have seen a suggestion that it is only set when you have logged out. I haven't confirmed if this is the case but it certainly isn't going to do any harm if it is set when you are logged in too.|
|lsd||session||I've seen two suggestions as to what this is. One has it as a 'nonce' (often said to be derived from 'number used once') used in the Facebook authentication process. Another has it only set on logout and being used in preventing unauthorised access to your account by misuse of certain credentials.|
|lu||two years||This cookie influences the way the Facebook login screen is presented. It helps detect whether you are using a 'public' computer or its basically just you using your browser. If it is thought to be a public computer you will be discouraged from using the 'keep me logged in' option. If it seems to be just you then the login screen will be pre-filled with your Facebook e-mail address. However this will only happen if you've been logged out automatically from Facebook (e.g. you closed your browser and hadn't selected the 'keep me logged in' option). It will not happen if you explicitly logged out from Facebook.|
|p||session||This is your 'channel partition'. I don't know what one of those is but it is used for things like chat and notifications.|
|reg_fb_gate||session||My understanding is that these cookies record the first and last pages you visited on facebook.com in a session and only appear if you aren't logged in or don't have an account. They are used by Facebook in the assessment of the effectiveness of their registration process.|
|xs||session or 30 days||I don't know what this cookie does, but if you use the 'keep me logged in' option it has a 30 day lifetime, otherwise it is a session cookie.|
|_e_*||seven days||Cookies with names beginning with _e_ (followed by four random characters, an underscore, and a digit) are known as EagleEye cookies and are used by Facebook to monitor site responsiveness.|
The bottom line with Facebook has to be that if you aren't a Facebook user you aren't going to be troubled with cookies when viewing things like Social Plugins, but if you are a Facebook user you are going to encounter quite a few. However they are no different to the ones you will encounter all the time when you are on facebook.com.
I have installed Google Adsense advertising on a number of the sites I have created, though as Google have disabled my account for unknown reasons I've had to remove it again until I can make alternative arrangements. Anyway Google Adsense will be visible as banner ads or as text based ads, but either way it will be pretty obvious what it is. The inclusion the ad causes two cookies to be set with the domain attribute set to
.doubleclick.net (Google own Doubleclick and use their technology to power Adsense).
Google clearly state that they use Doubleclick DART cookies for interest based advertising, meaning that they attempt to build a profile of a user's interests based on the nature of the sites visited and target ads accordingly. I don't have any issues with that myself but if you don't like the sound of that they do offer an opt-out.
Google Adsense also includes 'social advertising'.My understanding of this is that it means if you '+1' an ad you've received through Google, the same advert is more likely to be shown to people in your 'circles'. If you are a Google+ user you will have a setting to enable or disable this behaviour (it covers more than just the ads though).
|id||two years||This is the DoubleClick DART cookie. It holds a unique identifier for your browser which can be used to do things like make sure you see a variety of ads, see series of ads in sequence, and let Google better report back to their advertisers on the reach of an ad campaign. It will also be used to store your preferences for interest based advertising as described above.|
|_drt_||12 hours or one day||This is the Google Social Cookie and is used in social advertising. If you are not logged in to Google it has a 12 hour lifetime and the value us NO_DATA. If you are logged in to Google it has a 24 hour lifetime and will contain either an encryption of your Google account id or OPT_OUT.|
|test_cookie||15 minutes||You may occasionally encounter this cookie. It is for checking if you accept cookies when you first visit a site using DoubleClick technology and you'll typically encounter it if you have deleted the existing cookies or are using a new computer or new browser.|
I install Google Analytics on most sites I create and maintain, as do an awful lot of other sites (a figure of well over 12 million was quoted in 2011). It helps with understanding how websites are used as the bog standard web server logs can't reliably provide useful information about unique visitors and sessions. Google Analytics can give a better feel for how many people look at a website, for how long, and how often. Google Analytics generally sets four first party cookies on sites that use it (there can sometimes be more, but not on the websites that refer to this page).
|__utma||two years||This cookie is for identifying a visitor to the site (which means a particular browser being used by a particular user account on a particular computer, and not an individual) .|
|__utmb||30 minutes||These two cookies work together to allow Google Analytics to identify sessions on the website (sessions == visits in this instance). A new session is considered to have started if there haven't been any page accesses for thirty minutes (detected by the __utmb cookie having expired) or if the browser has been closed and reopened (detected by the __utmc cookie having been deleted).|
|__utmz||six months||This cookie provides information on how the page was reached (search engine, ad, direct link etc). The six month lifetime of the cookie is to do with wanting to be able to track the success of ad campaigns, or something like that, and it is actually a default that can be varied.|
Google Analytics is also used by ShareThis when the buttons are actively used. The cookies have the same names but appear as third party cookies with the domain attribute set to
If you really don't want Google Analytics to track your visits to a site then you may be interested in an add-on Google have created for many popular browsers which basically opts you out of the tracking.
The presence of Google Custom Search and/or Google Maps on a site may result in a number of cookies being set that have the domain attribute
.google.com. The cookies don't seem to be set when viewing maps created with version 3 of the Google Maps API but were definitely present with version 2.
There will quite possibly a few more that I haven't encountered which will turn up if you actually perform a search on interact with Google Maps.
|NID||six months||Stores preferences.|
|PREF||two years||This cookies is apparently designed to provide you with protection from certain malicious software on the net, as well as maintaining your language preferences.|
If the Met Office widget is used on a website there are some third party cookies set. Two come from the
.metoffice.gov.uk domain and one is from
statse.webtrendslive.com. It would seem that the Met Office are using WebTrends Live for analytics purposes.
|__gads||I don't know what this cookie does. DoubleClick For Publishers uses a cookie by this name but there isn't any obvious advertising in the widget itself.|
|WT_FPC||WT stands for 'WebTrends' and FPC means 'first party cookie'. This cookie is set by WebTrends running at the Met Office so presumably they use it for web analytics purposes.|
|ACOOKIE||This is the cookie set by the
A number of third party cookies are set when a website uses Amazon affiliate links. I'm still working on identifying these.