06.25.03
 By
Richard Igoe
Since the majority of web users now use IE6, you need to understand how Internet
Explorer deals with cookies.
Most sites now have (or should have) privacy policies stating what they
actually do with information collected from their visitors.
But with the introduction of Internet Explorer v6.0, Microsoft introduced default
browser settings, which are designed to check a Web site's P3P privacy policy
before allowing use of cookies by that site. It is therefore important that you
create a P3P privacy policy for your Web site if you are collecting any information
from your visitors or if using cookies is important to you.
P3P is an Internet protocol that has been designed to let users select general
privacy settings that will then be enforced by software.
Under IE5, users could group Web sites into trusted, restricted, and Internet
(unknown status), and set the refusal or acceptance of cookies based on these
zones. |
IE6 has the same basic options, but the security level you select applies only
to the Internet Security Zone and there are more options. A user uses a sliding
scale to select from 4 different cookie settings, which range from "Accept All"
to "Reject All". Most IE6 users will rely on P3P because it's the default. With
IE6, P3P is supposed to evaluate a site by reading a special tag that includes
a summary of the site’s privacy policy.
IE6 looks for a file called p3p.xml which you can place in a directory in your
root folder called w3c like this /w3c/p3p.xml. This file specifies the
location of the p3p policy. For example if you click on - http://www.HTML-tutorial.org/w3c/p3p.xml
you will see it is referring to the location of the privacy policy for this site.
The code in the Web site's P3P policy decides which cookies to allow. The user's
browser compares the browser settings and matches this against the P3P in your
privacy policy.
If your P3P file does not specify what cookies you are using, then there is a
risk that the cookies set by your Web site may ignored by the user’s browser if
the user is using the default settings, so it is important to create a P3P file
and place it on your Web site.
This is also important if you make money through an affiliate program. Most affiliate
programs use cookies to check who referred them to their site. You need to ensure
that the affiliate program owner has a P3P policy for their site specifying which
cookies are being used. If not, then if you refer a visitor using IE6 to their
site, the cookie that is meant to recognize you as the affiliate, may be blocked
by the visitor's browser, and you will not get the credit for the referral.
You can find out more about P3P and how to create a P3P policy at the W3C site
- http://www.w3.org/P3P/ including a tutorial
on creating a P3P policy in 6 easy steps.
To see an example of how IE6 deals with cookies, if you are using IE6, select
Tools > Internet Options and then the Privacy tab, and set your Privacy level
to "Block all cookies". Then browse to http://www.design-web-sites.com
and have a look in the browser on the bottom right next to the status bar. You
should see a red warning sign with an eye image behind it. If you double click
on that it will show you which cookies are being set by this Web site. If you
then change the Privacy settings in IE6 to the Medium, (or the default) and refresh
the page in your browser, the warning sign will disappear. That is because there
is a P3P policy defined for this site to allow these cookies.
Now click on http://www.affiliateguerrilla.com
with the Privacy settings still set to Medium. On this site, 3rd party cookies
are not defined in the P3P policy (at time of writing) so a warning sign will
appear. Double click on the warning sign and you will the 3rd party cookies that
are present on this site.
Let's take a closer look at what cookies are and what they can do.
Cookies are actually small pieces of data used mainly by Web sites so they can
store information about that particular computer such as whether or not it has
visited the site before. They are storing information about the computer, not
the person. They are downloaded to a user's computer by the browser and are used
to recognize users when they return to a Web site.
The cookie is stored on the user's computer but is not a program and cannot therefore
do anything to it.
A domain can only set and read its own cookies, so the cookies set by one domain
cannot be read by another. A site can, however, specify the domain in setting
a cookie, then any Web sites that are sub-domains of the site can also read the
cookie. This is so that large Web sites that have their domains hosted on more
than one server can read their cookies with all their servers.
 The only instance
when you would find private information stored in a cookie file would be if you
personally gave that information to a Web site in the first place and it decided
to put that information into your cookie file for some reason, but even then,
only that site would be able to read the cookie it had written.
One of the reasons for the misconceptions about cookies is that some advertising
agencies advertise through placing banner-ads on hundreds of different Web sites.
The Web sites displaying the banner ads are given code, which includes single
pixel images (which are transparent) to put on their Web sites. This image allows
the agency to set and read its own cookies. These third-party cookies are set
so that the advertising agency can track the number of visits generated by a particular
banner-ad.
However, they could also use this information to build up rich profiles of the
visitors. Although they don't have any personal information about the visitor,
they can correlate the cookie ID with the type of sites that are being visited.
If then the advertising agency manages to get hold of the visitors email address
it would be able to collect information about the user’s browsing habits and if
it could acquire a database with names and addresses there is a chance that it
could match the email address up to a name and physical address.
Almost all serious online marketers use cookies these days. To see just how many
sites set cookies on your computer try and find the directory your cookies are
stored in.
Although different systems store cookies in different locations, a common location
on Windows machines is: C:Documents and SettingsDefault UserCookies
Our conclusion is that cookies are in fact very useful both for the Web marketer
and for your visitors. Most larger websites, and nearly all online shopping carts
rely on them. But if you own a website that sets cookies, you need to ensure you
post a P3P privacy policy so that your cookies are not blocked by IE6 users.
About the Author:
Richard Igoe is the author of "The Strategy of Web Design" at, a book on web design
for the business, covering topics such as how to create cookies, how to create
a database driven site, and how to format your site with CSS - http://www.design-web-sites.com
The author has been a web developer since 1998 and has worked in various web design
and consultancy roles.
Read This Newsletter at: http://www.devwebnews.com/2003/0625.html |
|
|
|
