Cookies have caused a great
deal of debate over the years. The following are some of the
issues:
Some users don't like the idea that a Web server can write to
their hard disk, however innocuously. In fact, there is no (real)
danger in accepting cookies -- for example, cookies obviously
cannot spread viruses.
Users worry that cookies might be used to send secret
information about them to a server. In fact, the cookie which is
returned is exactly the same as that which was sent.
Users are concerned that other Web servers might find out
information about you by reading cookies set by different servers.
In fact, browsers follow very strict rules to ensure that cookies
are only returned to the server (and/or specific CGI program) which
originally sent them -- although, see discussion about the domain
and path attributes in the previous slide.
Users worry that Web servers can track their "click-through"
behaviour using cookies. In fact, this is true, and is a potential
privacy issue. In response to this concern, virtually all modern
Web browsers offer detailed "preferences" options for how cookies
are to be handled, particularly those sent by "third-party"
advertising sites which supply webpage images.
All browsers allow the user to turn off acceptance of cookies,
and some users do this. Therefore a session-managed application
cannot rely on the availability of cookies to maintain state
information.
Some interesting (although rather dated) information on cookies can
be found at: