Cabinet Office
The basic function of a cookie is to allow Web servers to store and retrieve information on the user’s machine. Although there are no major security considerations in using these cookies there are privacy and usability issues which affect their deployment.
Use each checklist to ensure that your web pages comply with these guidelines
4.7.1 Checklist and summary: Core guidance
Checklist
Summary
Cookies provide a way to track individual users’ usage of your website. The ability to identify a specific user opens the possibility of having your website deliver content customised to individual users’ interests and needs.
Using cookies to track individual users’ usage of your website raises concerns about their privacy. The user privacy implications of any proposed cookie regime should be investigated and understood before deployment.
4.7.2 Explanation
When a web server receives a request from a browser for an HTML page or other document, it may include a cookie along with the returned content.
A cookie is a token that the web browser stores on disk in the form of a small text file. Depending on the user’s browser preferences settings, a browser may automatically store cookies without notifying the user that they have arrived, may ask users whether to accept each individual cookie that arrives, or automatically reject all cookies.
Cookies are stored in a text file whose name and location depends upon the user’s operating system and browser. These can be viewed and deleted by the user. For example:
Note that the expiry date can be set to end of session in which case the cookie will be discarded when the browser application program is ended.
By setting the arbitrary text portion of a cookie to something different in every cookie it issues, and setting the domain name section to refer to itself, a web server is then able to recognise individual users’ sessions (sequences of requests from the same user). By setting an expiry date that is in the distant future, a web server is additionally able to recognise users that return to the site on subsequent days, weeks or whatever (repeat visitors). Cookies set to expire beyond the end of the current browser session are usually referred to as persistent.
Cookies do not contain executable code and therefore do not provide a potential point of entry into users’ computers for viruses, Trojan horses or other malicious software.
Establishing user sessions at the server in this way also enable the development of new classes of web-based applications ranging from multi-page forms to websites that can record user preferences and customise the content they deliver according to users expressed preferences.
A practical example is Amazon.com, the online bookseller. They use cookies for site personalisation, to aid established customers by informing them of offers and discounts in areas they have previously used. For example the personalised message when your log in:
‘Hello John Doe, we have recommendations for you in books and video’
Hyperlinks then take you to a personalised page that highlight products based on your personal profile.
4.7.2.1 User privacy implications
Any proposal to implement a website cookie regime inevitably and properly raises concerns about user privacy. To clarify and assess user privacy implications it is useful to categorise cookies into several basic types as follows:
Anonymous session tracker - a cookie used to track user sessions. It contains no personal information about the user, nor does the website elicit or store any information from the users. Appropriately used this is a valuable tool in user analysis and it also enables the provision of features such as multi-page forms. This cookie may be made persistent in order to detect repeat visitors and returning users respectively.
Session tracker - this is a cookie that the web server uses to relate page and other content requests to user preferences stored on the server. The cookie is used to establish the session and the web server ties the session to the user profile that it has stored. The use of the cookie does not in itself add any additional privacy considerations to those that arise as a consequence of eliciting and storing data that may be considered to be private. Note, however, that it is not acceptable for a browser’s presentation of a cookie to be interpreted by the web server as adequate authentication for access to private data held on a web server or back-end database. Additional authentication and data encryption techniques must be used for application involving the transfer of private information over the Internet. This category of cookie may or may not be persistent. For example, you may belong to an online group that issues a session cookie each time you log into it. If you select the login automatically option it will then send you a persistent. See section 1. 11 Backgrounder on securing websites, and section 5.5 Online transactions.
Cookies containing private data - cookie regimes that involve storing private or potentially private data, such as names, addresses, credit card numbers, within the cookie itself are sometimes mooted. This approach should be avoided in Government websites.
It is important that the user is always made aware if your website uses cookies, what data they contain and what they are used for. This information should be communicated on every entry page to a service that uses cookies. Most browsers let the user specify whether to allow cookies - always, never or case-by-case, but you could consider using a more direct approach for consent: For example:
A website that uses cookies should also work if users decline to accept them. Your site should perform with and without the use of cookies. If your site offers a degraded service to users who do not accept cookies then they should be informed that they would have to put up with a less sophisticated service.
4.7.3 Third-party cookies
Web managers should be aware of the use of cookies by third parties, for example, advertisers or others making use of part of a web page. It is possible that they may employ a cookie (sometimes called a web bug) that seeks to track a user across the Web by using globally unique identity and a DNS domain name that is not related to the DNS server of your department/agency. Such third-party cookies may impinge upon your published privacy policy.
See section 1.3 for advertising and sponsorship
1.10.2 Legal issues - Data Protection Act