Webmasters Stack Exchange
Webmasters Stack Exchange

Questions tagged [cookie]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted and modified both by JavaScript and from server-side scripts by reading the headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side scripts by reading the headers.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider localStorage.

190 questions
47
votes
5 answers

Are cookie warnings still required under the EU cookie law?

Is it still required to provide a cookie warning offering users the ability to opt in/out of cookie tracking? I cannot find any official advice on what we are supposed to be doing. I'm not looking for answers along the lines of "to be on the safe…
Double Clicked
  • 2,363
  • 1
  • 20
  • 36
31
votes
6 answers

Standard ratio of cookies to "visitors"?

As noted in a recent blog post, We see a large discrepancy between Google Analytics "visitors" and Quantcast "visitors". Also, for reasons we have never figured out, Google Analytics just gets larger numbers than Quantcast. Right now GA is showing…
Jeff Atwood
  • 14,002
  • 18
  • 66
  • 79
24
votes
3 answers

How do I set up a cookie-less domain?

I've read that it's best to serve static content (css, javascript, etc.) from a cookie-less domain or subdomain for better performance. I assume a domain is not cookie-less by default. How do I specify that I don't want to use cookies?
BenV
  • 1,025
  • 1
  • 12
  • 21
18
votes
3 answers

Disable __cfduid cookie from Cloudflare

Is there a Cloudflare setting that corresponds to the creation of the __cfduid session cookie? I'm currently trying out CF; mostly for the neat DNS management and the implicit CDN. But the basic WAF is possibly just as nice an addition atop Apaches…
mario
  • 291
  • 1
  • 2
  • 7
17
votes
7 answers

Does the EU cookie law apply to an EU site that is hosted outside of the EU?

I have been reading up about this EU cookie law, and have also had in depth conversations with my girlfriend who is a solicitor/lawyer and with colleagues while building websites. While we are now working towards implementing a way to abide by the…
mickburkejnr
  • 1,322
  • 11
  • 18
17
votes
5 answers

Google Analytics and the EU cookie directive. Who will fall foul of the law? Google or the developer?

So Google uses cookies when performing its usual duties of tracking users on a website. That is just it though; Google are setting the cookies and not your website as such. This is by virtue of the fact that the JS is all hosted by Google and merely…
Treffynnon
  • 461
  • 3
  • 9
15
votes
1 answer

Has the EU sued any site(s) yet for not complying with their cookie "law"?

EUROPA websites must follow the Commission's guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily. - source Many people find this EU cookie directive, when implemented, a…
dhaupin
  • 3,349
  • 15
  • 31
14
votes
1 answer

Do many users turn off cookies?

Just how generally prevalent is it that users have cookies disabled in their browsers? I want to set a cookie during a user's session so that all the pages know that the presence of a particular software program (required for certain functions on my…
Cyberherbalist
  • 400
  • 1
  • 3
  • 12
12
votes
1 answer

Do iframes have access to the cookies of the hosting domain?

We want to build an ad-frame which will run on external sites (e.g. YYY.com). The external site will place an iframe to our site (ZZZ.com/ourAdContent.html) and we will show some ads in this frame. The question is, will our iframe have access to the…
Skurpi
  • 297
  • 1
  • 2
  • 11
12
votes
2 answers

Are session cookies exempt from consent under GDPR?

Session cookies - cookies that last only for the duration of the current session - are arguably not a tracking tool under the spirit of the EU's data protection efforts. Under old EU cookie rules, they appeared to be exempt from the requirement to…
Pekka
  • 1,302
  • 1
  • 9
  • 18
11
votes
4 answers

How can I tell Google Analytics to not use cookies for my sub domain?

I have my web site at example.com, and i have also setup a sub domain for serving static content at static.example.com. On my web pages I'm using Google Analytics, so it will attach its cookies to all page request, even on static.example.com. I…
Magnus
  • 295
  • 2
  • 6
10
votes
2 answers

How many domains to split components across?

I understand how splitting components across domains can maximize parallel downloads, and enable you to have cookie-free static content domains, but since there's a time cost for each domain lookup what is the optimum number of domains to use?
theotherreceive
  • 265
  • 3
  • 6
8
votes
1 answer

What happens if I try to set a cookie on a bot?

I'm building my site to include some user-identifying cookies. When a visitor chimes in, I will set a cookie with a unique visitor id (a guid) and the date-time of the visit, and save a visit record (including his user-agent, referer (if any), and…
Cyberherbalist
  • 400
  • 1
  • 3
  • 12
8
votes
2 answers

How to use cookies in a secure manner to authenticate users?

In most cases I like using cookies to remember returning users to my websites. In my early/foolish days, I would store a UserID (auto-increment integer) in a cookie and if the user returned I would use that cookie value to log them in…
jessegavin
  • 2,158
  • 1
  • 25
  • 27
8
votes
1 answer

Does the SPDY protocol eliminate the need for cookieless domains?

With plain HTTP, cookieless domains are an optimization to avoid unnecessarily sending cookie headers for page resources. However, the SPDY protocol compresses HTTP headers and in some cases eliminates unnecessary headers. My question then is, does…
Clint Pachl
  • 180
  • 4
1
2 3
12 13