WebApp Sec mailing list archives
Re: Web site cookie overload?
From: Nick <nseward () cscn com>
Date: Wed, 19 Jan 2005 08:26:58 +0000
On January 18, 2005 02:59 am, Richard M. Smith wrote:
Hi, I run a cookie tosser program on my Windows laptop. This program periodically deletes my Internet Explorer cookies for many Web sites that I visit. I only keep around cookies for a few Web sites like the New York Times and the Wall Street Journal because I do not want to have to keep relogging into these sites. One of the cookie tossers I run deletes most Web site cookies every few minutes. For Web sites which I go to often during the day like Google and third-party ad networks, I might look like 10, 20, or 30 unique visitors. For each visit, I am given a new cookie ID number by a Web site. Because my cookie tosser does not delete cookies right away, a Web site should see me as a real visitor because Internet Explorer will send back a cookie ID number to a Web site a few times before the cookie is tossed. What I am wondering is what will happen at high volume Web sites if a lot of folks started running the same cookie tosser that I am using. Will Web sites start breaking down because of an overload of cookies being assign to too many unique visitors? By a lot of people, I am thinking here a minimum of 10 million computer users. With a cookie tosser, these computer users might start looking like 50 to 100 million new visitors each day on high volume Web sites. Will such a volume of new visitors cause problems for The cookie tosser I am running is actually built into Internet Explorer. Microsoft does not really tell users about this feature and it has a terrible user interface. It requires an XML file to be created manually which instructs Internet Explorer how to handle cookies. One of the options in the XML file tells Internet Explorer to convert permanent cookies to session cookies. I turn this option on so that Internet Explorer acts as a cookie tosser. I then explicitly list in the XML file all the Web sites like the New York Times and the Wall Street Journal to prevent their cookies from being converted to session cookies. Here is documentation from Microsoft about this feature of Internet Explorer: How to Create a Customized Privacy Import File http://tinyurl.com/2ners And here is a copy of the XML file that I use to do the cookie tossing: http://www.computerbytesman.com/privacy/blocker.xml I've been running this Internet Explorer cookie tosser on and off for a year now and it works great. I have found that a cookie tosser is more effect than a cookie blocker, because some Web sites require cookies to be turned on in order to use a site. A cookie tosser will work with these sites, while a cookie blocker will not. Richard M. Smith http://www.ComputerBytesMan.com
some Web sites?
Most sites will not use cookies as a way of counting the number of visitors since they are unreliable just like you mentioned. Instead they would track the number of unique ip addresses that access their website. This would then be the total number of unique visitors to their site which is much more reliable then a cookie count. Now if all people were using that cookie tosser program like you then the web server would just be keeping track of more cookies, something it can handle perfectly fine. The webmaster would figure out people are using some kind of anti-cookie program when he compares the number of cookies tracked to the number of actual unique ip addresses that accessed the wesite. (Cookies tracked > unique ip count). Nick
Current thread:
- Web site cookie overload? Richard M. Smith (Jan 19)
- Re: Web site cookie overload? Nick (Jan 23)
- Re: Web site cookie overload? Griffiths, Ian (Jan 24)
- RE: Web site cookie overload? Richard M. Smith (Jan 24)
- Re: Web site cookie overload? Alexander Klimov (Jan 27)
- Re: Web site cookie overload? Nick Seward (Jan 27)
- Re: Web site cookie overload? Alexander Klimov (Jan 27)
- Re: Web site cookie overload? Griffiths, Ian (Jan 24)
- Re: Web site cookie overload? Nick (Jan 23)