This site, which currently is just the one page, is still being worked on. The content needs to be completed and then refined a bit, and then I can look at tarting it up a little. Please bear with me.
This page has been written to provide information about cookies and cookie usage for a number of websites that I have created and maintain for myself. Specifically it applies to sites on these domains:
The information is based on personal knowledge and research, and on the results of cookie audits on the sites concerned and also a number of others that I have created and maintain for other companies and organisations (these sites previously referenced this page). I have aggregated the information taken from or required for all the sites in order to be able to one consistent resource that I feel I can maintain to a higher standard.
Oh and no cookies are used or set by this site (though if you have read other sites hosted on the anidea.co.uk domain you may have received first party cookies and your browser will probably have sent them to this page). There isn't any logging or anything beyond the bog standard web server logs which will just contain anonymous data and I'm not sharing that with anyone else.
Opinions vary as to how much internet users actually know about cookies, but it is always handy to provide a bit of background information. If you want more information the Wikipedia article really isn't bad at all, and there is also a site called All About Cookies that gets referenced a lot that also covers how you can manage them. Another site, which seems to be the preferred one to refer to for UK sites, is AboutCookies.org.
A cookie is simply a small piece of data that consists of a name / value pair, plus some metadata which sets attributes for the cookie, and is completely harmless in itself. It is how it is used that can sometimes be of concern.
When you visit a web page cookies may be sent to your browser along with the data for the page, or they may be set by your browser itself when it runs code found on page (for example that code might be JavaScript). The browser will typically store the cookies as individual files on your computer, but it can store them how it likes. The attributes of the cookie tell your browser when to send it with a request for a web page and when to automatically delete the cookie. When the cookie is sent to a server with a request for a web page it is only the name / value pair that is sent, not the attributes.
It is important to emphasise that your browser has full control of the cookie handling process. Although we commonly talk about web sites setting cookies they are actually only making requests that they be set, it is your browser that is actually setting them. Unless you have a particularly stripped down browser on a mobile device, you generally have quite a lot of control over which cookies it should accept.
The most important attributes to know about are the 'Domain', 'Path', 'Expires' and 'Max-Age'.
In considering the Domain and Path I'll use the example URL http://cookies.anidea.co.uk/myfolder/test.html (that page doesn't exist, by the way).
If I set a cookie on the example page the default value of the Domain would be cookies.anidea.co.uk and the Path would be /myfolder. A correctly behaving internet browser will send that cookie with requests for any web page where the hostname part of the URL ends with the Domain and the path part begins with the Path. So, for example, the cookie could be sent with a request for http//anything.cookies.anidea.co.uk/myfolder/test.html but not for http//test.anidea.co.uk/myfolder/test.html, and similarly it could be sent to http://cookies.anidea.co.uk/myfolder/anotherfolder/ but not for http://cookies.anidea.co.uk/.
OK so that is good, but not necessarily as useful as it might be as some sites refer to their sites by different sub-domains and in particular it is very common for the same site to be accessible as either http://www.<domain>/ or simply http://<domain>/ (I tend to force one or the other where I can, and prefer the form without the leading www). It is very common to see the Domain set to e.g. anidea.co.uk or .anidea.co.uk (they do the same thing but the latter is often seen because a now deprecated standard required the leading dot and there is no point in removing back compatibility with old browsers unnecessarily). Similary it is common to see the Path set to / so the cookie will be sent with every page request to the site.
Returning to the other attributes, Expires specifies a date and time when the browser should delete the cookie, and Max-Age is an alternative that allows the expiry time to be specified as a number of seconds from the time the cookie is set.
If the cookies doesn't have either of the above attributes it is known as a session cookie. In this context you are effectively defining what a 'session' means by how you use your browser. The session cookie will stay until you close your browser, at which point it should be deleted. Session cookies are potentially useful because the HTTP protocol is 'stateless'. What this means is that every request you make for a web page is a completely separate and the web site can't know that any two or more page requests both come from you unless it maintains its own state somehow. Cookies are one way of acheiving this.
Session cookies are all very well, but it is often useful to be able to store information after your browser closes. For example supposing you close your browser, realised you've forgotten something and immediately relaunch it and go back to the site you were viewing. Any session cookie you had will have been deleted so the web site would not realise you'd come back and would have to treat you as a new visitor. The alternative would be a persistent cookie, which is one where either the Expires or Max-Age attribute has been set to define a 'lifetime' for the cookie.
When I see a persistent cookie with a lifetime measured in hours I tend to think the purpose of the cookie will be similar to that of a session cookie, though that may be a hopeless generalisation. However it is also common to see persistent cookies with a lifetime of one or two years (and you do see them with lifetimes far longer than that) and they will typically have a different function. There they will tend to be more for recognising you as someone who has visited the site before. An obvious example of that would be in analyzing website usage where you might want to better answer questions like 'how many regular users do we have, and how many come to our site and don't come back?'.
It is important to remember that unless you have authenticated in some way with a site, these persistent cookies are only likely to be able to identify you in an anonymous way. In fact rather than any 'personally identifiable information' about you, about all they can identify is a particular browser being used on a particular user account on a particular machine, and they don't know who is using the browser at the time.
When you see a long lifetime on a cookie it is quite likely an indicator that the site would basically like to have a permanent cookie but there are no such things. As cookies can simply be refreshed every time a site is visited the lifetime simply has to be long enough for the cookie to persist between visits. A lifetime of a year might gain nothing over a lifetime of a month, but on the other hand it does no harm either and makes it more obvious what is going on.
When talking about cookies the term 'first party' usually means the web page you are viewing, the 'second party' is you the visitor, and a 'third party' is any other site serving content to the page (e.g. advertising or analytics). A 'first party cookie' is one that is directly set by the web site you are using or is set by code in the web page, even if that code is actually downloaded from another site. An example of the latter is Google Analytics. The web site will set a few variables and then read a script from Google, but that script is executed as content of the page and so the cookies that are set are first party cookies. When the web page is including third party content the browser is basically interacting with a different website and any cookies that are set will be be 'third party cookies'.
Persistent third-party cookies potentially allow visitors to be tracked anywhere they go on the internet where the third party content appears.This can actually be incredibly useful but it could potentially be abused and this is where much of the bad press about cookies comes from.
You may have heard mention of the 'EU Cookie Directive' or 'Cookie Law'. These are informal names for an EU Directive dating from 2009 which was enacted in the UK as 'The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011'. It took effect on 26th May 2011.
It is the Information Commissioner's Office (ICO) which is responsible for the enforcemement of the directive in the UK and they announced that there would be a grace period of one year during which time they would not be taking any enforcement action. So in effect the start date has become 26th May 2012.
The directive basically requires a web site informs you about any cookies that are in use and obtains your consent before setting or using any that are not considered 'essential' to the functioning of the site. If you browse the net you will encounter plenty of conflicting advice about when consent is required and what form it takes and the actual legislation is pretty vague. It is basically up to each EU member state to decide how to implement the directive. A few member states have gone down the 'opt-in' path which means that you have to give a web site express permission to set cookies, whereas fortunately the UK has gone with the 'opt-out' which basically says you have to say which ones you don't want. It may seem a subtle difference but the 'opt-in' pretty much requires that a user be prevented from entering a site without expressing explicit consent for cookies to be used, whereas the 'opt-out' allows for more relaxed interpretation involving 'implied consent'.
The ICO seem to be taking a very common sense and practical approach to the directive which recognises that many technical breaches are going to be very trivial or incredibly common and that enforcement action in those cases really isn't going to gain anyone anything. Basically each case has to be considered individually. The ICO guidelines suggest that implied consent may be an acceptable option.
Consent is something of a grey area. There is no doubt that the bombproof way for a website to gain your explicit consent for cookie usage is to redirect you to a web page that clearly requests it before you are allowed to enter the main site (using a pop up window is an alternative, as long as it is remembered that some users will be browsing with scripting disabled or have software in place to prevent many pop up windows opening). If you do not give consent to the cookie usage you simply do not get to see the site. If you consent to some of it you may be allowed to opt-out of the rest, but not every web site will be able to offer opt-outs so it could be all or nothing. As long as it it has been made clear to you what you are consenting to, this approach is going to be compliant with the directive. However the disadvantage is that it may put you off visiting a site. It is one thing having it on the site of a household name company or organisation that gets thousands of visitors a day, but it is another thing having it on a small site that you've never come across before.
There is nothing in the directive that says consent has to be explicit. If a website makes it clear to you that cookies are in use and makes enough information available to you to make an informed decision, then by continuing to use the website you can be considered to have given your implied consent to the cookie usage. This rather overlooks the possibility, even probability, that a few cookies have already been set when you first view the page but if implied consent is considered acceptable then this sort of thing is unlikely to be an issue either.
The important thing about implied consent is that you are told about the cookie use. The ICO have stated that if the only cookie usage is for something like anonymous web analytics then a simple notice at the bottom of each page warning you about it might be sufficient. However more generally they are going to want to see a little more effort such as highlighted text that stands out from the rest of the page, banners on the home page, or perhaps a banner at the top of the page that you keeps appearing until you acknowledge it. Basically the more potentially 'naughty' the cookies on your site are, the more effort you will be expected to have put in.
The slight irony about any approach that requires you to make an explicit response to confirm your consent, or confirm you have read something, is that the site may require you to accept a cookie to record it.
If a web page is written using the PHP language a first party session cookie named PHPSESSID may be set automatically and it will be common for it to be set before you have any chance to accept or reject it. PHP is very widely used and so you are going to see this cookie an awful lot.
The cookie simply contains a unique identifier (32 hexadecimal digits) that can be used for session management within PHP, for example by the Facebook API.
If a site is using Facebook 'social plugins' such as the 'Like button' or 'Like box', or is using Facebook authentication to provide a 'login' to the site then you may encounter third party cookies with the domain set to .facebook.com. Facebook describe their cookie use in general terms in their help pages. Some information on specific cookies can also be found around the net.
A cookie audit suggests that no cookies are being set by the social plugins if you are not a Facebook user. If you have used Facebook on your current browser (and haven't deleted your cookies since) three persistent cookies will already have been present and I believe these will be refreshed. If you are logged in to Facebook several sessions cookies may be set. If you attempt to login to a site using Facebook authentication you will see many of the same cookies as you will with social plugins and probably several more besides. Facebook also use cookies to test site responsiveness.
Facebook seems to do different things according to whether or not you are a Facebook user, whether you are logged in, whether you have been logged in and have logged out, and so on, and that makes it hard to tell exactly what is set and when so the best I can do is present a list of the Facebook cookies I have seen in the cookie audits on the websites this cookie page applies to. I wouldn't be in the least but surprised if you encounter some different ones.
| act | session | This contains a timestamp and a sequence number and is apparently used for measuring and optimising the speed of the Facebook site. |
| csm | session | |
| c_user | session or 30 days | This cookie contains your Facebook userid. It you have chosen to keep logged in to Facebook it has a thirty day lifetime, otherwise it is a session cookie. |
| datr | two years | Identifies a particular browser independently of any logged in user and is used to help maintain site security and integrity, for example by detecting attempts to create multiple accounts. |
| locale | one week | If you are a Facebook user this contains your language and country setting e.g. 'en_GB'. I have seen a suggestion that it is only set when you have logged out. I haven't confirmed if this is the case but it certainly isn't going to do any harm if it is set when you are logged in too. |
| lsd | session | I've seen two suggestions as to what this is. One has it as a 'nonce' (often said to be derived from 'number used once') used in the Facebook authentication process. Another has it only set on logout and being used in preventing unauthorised access to your account by misuse of certain credentials. |
| lu | two years | This cookie influences the way the Facebook login screen is presented. It helps detect whether you are using a 'public' computer or its basically just you using your browser. If it is thought to be a public computer you will be discouraged from using the 'keep me logged in' option. If it seems to be just you then the login screen will be pre-filled with your Facebook e-mail address. However this will only happen if you've been logged out automatically from Facebook (e.g. you closed your browser and hadn't selected the 'keep me logged in' option). It will not happen if you explicitly logged out from Facebook. |
| p | session | This is your 'channel partition'. I don't know what one of those is but it is used for things like chat and notifications. |
| presence | session | |
| reg_fb_gate | session | My understanding is that these cookies record the first and last pages you visited on facebook.com in a session and only appear if you aren't logged in or don't have an account. They are used by Facebook in the assessment of the effectiveness of their registration process. |
| reg_fb_ref | session | |
| s | ||
| sub | ||
| xs | session or 30 days | I don't know what this cookie does, but if you use the 'keep me logged in' option it has a 30 day lifetime, otherwise it is a session cookie. |
| _e_* | seven days | Cookies with names beginning with _e_ (followed by four random characters, an underscore, and a digit) are known as EagleEye cookies and are used by Facebook to monitor site responsiveness. |
The bottom line with Facebook has to be that if you aren't a Facebook user you aren't going to be troubled with cookies when viewing things like Social Plugins, but if you are a Facebook user you are going to encounter quite a few. However they are no different to the ones you will encounter all the time when you are on facebook.com.
I have installed Google Adsense advertising on a number of the sites I have created, though as Google have disabled my account for unknown reasons I've had to remove it again until I can make alternative arrangements. Anyway Google Adsense will be visible as banner ads or as text based ads, but either way it will be pretty obvious what it is. The inclusion the ad causes two cookies to be set with the domain attribute set to .doubleclick.net (Google own Doubleclick and use their technology to power Adsense).
Google clearly state that they use Doubleclick DART cookies for interest based advertising, meaning that they attempt to build a profile of a user's interests based on the nature of the sites visited and target ads accordingly. I don't have any issues with that myself but if you don't like the sound of that they do offer an opt-out.
Google Adsense also includes 'social advertising'.My understanding of this is that it means if you '+1' an ad you've received through Google, the same advert is more likely to be shown to people in your 'circles'. If you are a Google+ user you will have a setting to enable or disable this behaviour (it covers more than just the ads though).
| id | two years | This is the DoubleClick DART cookie. It holds a unique identifier for your browser which can be used to do things like make sure you see a variety of ads, see series of ads in sequence, and let Google better report back to their advertisers on the reach of an ad campaign. It will also be used to store your preferences for interest based advertising as described above. |
| _drt_ | 12 hours or one day | This is the Google Social Cookie and is used in social advertising. If you are not logged in to Google it has a 12 hour lifetime and the value us NO_DATA. If you are logged in to Google it has a 24 hour lifetime and will contain either an encryption of your Google account id or OPT_OUT. |
| test_cookie | 15 minutes | You may occasionally encounter this cookie. It is for checking if you accept cookies when you first visit a site using DoubleClick technology and you'll typically encounter it if you have deleted the existing cookies or are using a new computer or new browser. |
I install Google Analytics on most sites I create and maintain, as do an awful lot of other sites (a figure of well over 12 million was quoted in 2011). It helps with understanding how websites are used as the bog standard web server logs can't reliably provide useful information about unique visitors and sessions. Google Analytics can give a better feel for how many people look at a website, for how long, and how often. Google Analytics generally sets four first party cookies on sites that use it (there can sometimes be more, but not on the websites that refer to this page).
| __utma | two years | This cookie is for identifying a visitor to the site (which means a particular browser being used by a particular user account on a particular computer, and not an individual) . |
| __utmb | 30 minutes | These two cookies work together to allow Google Analytics to identify sessions on the website (sessions == visits in this instance). A new session is considered to have started if there haven't been any page accesses for thirty minutes (detected by the __utmb cookie having expired) or if the browser has been closed and reopened (detected by the __utmc cookie having been deleted). |
| __utmc | session | |
| __utmz | six months | This cookie provides information on how the page was reached (search engine, ad, direct link etc). The six month lifetime of the cookie is to do with wanting to be able to track the success of ad campaigns, or something like that, and it is actually a default that can be varied. |
Google Analytics is also used by ShareThis when the buttons are actively used. The cookies have the same names but appear as third party cookies with the domain attribute set to .edge.sharethis.com.
If you really don't want Google Analytics to track your visits to a site then you may be interested in an add-on Google have created for many popular browsers which basically opts you out of the tracking.
The presence of Google Custom Search and/or Google Maps on a site may result in a number of cookies being set that have the domain attribute .google.co.uk or .google.com. The cookies don't seem to be set when viewing maps created with version 3 of the Google Maps API but were definitely present with version 2.
There will quite possibly a few more that I haven't encountered which will turn up if you actually perform a search on interact with Google Maps.
| APISID | ||
| SID | I believe these are unique identifiers for use with Google services, with HSID not being available to JavaScript. | |
| HSID | ||
| NID | six months | Stores preferences. |
| PREF | two years | This cookies is apparently designed to provide you with protection from certain malicious software on the net, as well as maintaining your language preferences. |
If the Met Office widget is used on a website there are some third party cookies set. Two come from the .metoffice.gov.uk domain and one is from statse.webtrendslive.com. It would seem that the Met Office are using WebTrends Live for analytics purposes.
| __gads | I don't know what this cookie does. DoubleClick For Publishers uses a cookie by this name but there isn't any obvious advertising in the widget itself. | |
| WT_FPC | WT stands for 'WebTrends' and FPC means 'first party cookie'. This cookie is set by WebTrends running at the Met Office so presumably they use it for web analytics purposes. | |
| ACOOKIE | This is the cookie set by the statse.webtrendslive.com domain. |
A number of third party cookies are set when a website uses Amazon affiliate links. I'm still working on identifying these.