A cookie with a 7,984-year lifespan. Blimey, Roy Batty only got 4! A cookie can last 7,984 years, according to new international privacy study, far out-lasting the operational usefulness of the device (or human user presumably). The idea that some of the small files stored on a device when it is used to visit a website are programmed, to last at least as long (if not far longer) than the …
Few things I note:
My user account has moved from cpu-to-cpu and storage-device-to-storage-device for over a decade now (and I don't even use cloud - this is just my /home partition moving about as I upgrade stuff), so assuming that the age of a physical device has anything to do with it is naff.
I don't accept 3rd-party cookies. It is a fairly accessible setting in any modern browser.
The sort of cookies I do like to accept (page viewing preferences) I would prefer to outlive me.
I intend to live forever. Or die trying*.
----
* Vila Restal, Blakes 7, BBC
It is annoying that so many web sites take the cynical lazy way to compliance. They just have a pop-up banner about cookies - effectively saying "accept our cookies or go away".
On my small website the cookies only get stored if the user specifically agrees - and they can rescind that agreement at any future point. The user is told that not storing a cookie will mean re-typing their details on any subsequent visit - but only if their interaction is a query. They are advised not to save them on a public computer.
It wasn't rocket science to do that.
This post has been deleted by its author
OK, expiry in 9999 is absurd.
On the other hand, assuming there is a benign reason to persist some kind of state beyond the current session, what is a reasonable lifespan? 10 years? 20? In most cases there's no functional difference between these and 7984 years. One year? A month or a week? In some circumstances this might defeat the purpose of the cookie.
If you accept cookies at all, why is a cookie with a lifetime of 7984 years more of an intrusion than one that lasts a week? The space consumed by most cookies is trivial. Most of a browser's disk storage is used for static resources like images and HTML pages; nobody seems to be getting upset about the expiry dates on these.
"The cause is obvious - a lazy developer just set the maximum possible date to make sure they wouldn't expire."
Indeed. Stating the bleeding obvious, perhaps, but it needed to be stated given that everyone involved seems to be wilfully ignoring something that's damned clear to anyone with half a brain.
"...for even the most innocent of purposes..."
But it's dead easy if you're a lazy programmer!
(Many years ago a girlfriend worked for a company where people had developed the habit of putting 9999 as the expiry date for a document. As the calendar ticked towards September 1999 there was a massive rush to check whether anything important was going to get automatically wiped!)
Any web developer will tell you that cookies are a vital tool for making the web work.
No shit Sherlock. It must be true, because ever since I started mercilessly wiping them on browser exit every single website on the world wide web started whining about that every single time I visit...
@AC:
Adding the rule:
div[id*="cookie"] { display:none; }
to your browser stylesheet (you do have one of those, right?) should mean you don't have to see cookie warnings on at least some sites.
More rules in the same vein would take out more targets, but each one increases the risk of missing something that might actually be interesting.
Anyone concerned about the privacy issues of cookies really should be using their browser settings to control or clean these out. I know sites should not be doing this, but do we really want more legislation and stupid rules stipulating what is an acceptable expiry time for a cookie? Anyone who cares about persistent cookies can easily deal with the problem themselves.
It reminds me of the occasional outrage expressed by people using a site whose login is run under http, which normally revolves around them claiming that since they used the same username and password as their online banking, you've now compromised their details (yes, these security geniuses set up their account on a garden gnome enthusiast forum with the same password they apparently use for everything including banking, yet consider themselves as tech savvy advocates of good security practice).
If you have no scruples there are still ways to track users if they have cookies disabled. There are just some people/companies that just seem to regard it as their right to spy on people and I'm taking about commercial entities here, not the traditional no such agencies.
I've got to say, I find the opposite [ie: cookies which expire after a short time, for no good reason] to be far more annoying. Thus requiring me to hunt around for my login details in the middle of interacting with a site I *thought* I was already logged into.
Amazon are probably the most annoying example: Their site will greet you by name, show you your recommendations and recent purchases and allow you to add items to your basket... right up until you hit the 'Checkout' button, at which time it's suddenly *"Sorry. Who are you? Log in please!"
eBay used to be similarly annoying but at least have had the decency to re-word the tickbox on their login screen to say "Keep me logged in for two weeks" now, which at least allows you to prepare yourself for being unceremoniously dumped on your arse on the doorstep, in a fortnight's time.
By far the most wall-headbuttingly annoying example ever though is Delicious.com, which arbitrarily logs you out at seemingly random intervals. Few things in life can equal the sheer joyous user experience of painstakingly filling in the details [description, tags,etc] of a website you want to bookmark, using their official bookmarklet, only for it to tell you [after submitting, FFS!] that you need to login. And, of course, after doing so you are returned to the bookmarklet form, which has now been wiped clear of all the info you just entered.
[That last one had me on the brink of insanity, til I eventually discovered Pinboard.in which has managed to allow me to stay loggged in continuously for several months so far, without it apparently 'breaking the internet']
—8000 year cookies? I'm all for them, in the right circumstances!
*"....Yes I have always wished Amazon would allow my co-workers, friends, families or random people nearby to purchase things on my account without entering a password..."*
Really? I avoid such scenarios by not having my family, friends, people I work with and "random people nearby" all share the same user account on the computer, and by logging out when i'm not using it, or locking the screen when I leave it unattended.
Once logged into *my* personal account on the computer, the less other passwords that get in my way, the better.
There wasn't much point setting the cookie later than that, because
In the year 9999
It's going to be man's last year alive
He's taken everything this old earth can give
And he ain't put back nothing
Now it's been 10,000 years
Man has cried a billion tears
For what he never knew
Now man's reign is through
If you accept cookies that expire after a week or so, these can be refreshed when you hit the same domain within that time-frame (could just be an advertising banner). Or are you worried about a site tracking you twice a decade or something? If on the other hand a developer needs to make something like a "Remember Me" option that stores your username locally for the user's convenience, and is told it should never expire because the users are annoyed when it keeps going away.... A 9999 year cookie, sure, why not. Do they seriously expect it to last 9999 years? No. But it's a lot easier than constructing the time machine and pinpointing exactly when the user next clears his cookies / changes PC.
Actually that date may cause instant expiry on some Unix based machines, due to int overflow problems I believe. So on a practical level a more reasonable approach is probably about 10 years in the future and keep updating the cookie when the user next hits the site.
Don't want cookies? Use a app to sort that for you but don't be surprised when convenience goes down.
I dunno which is the more worrying possibility: that the programmers responsible were too damned lazy to work out the reasonable lifetime one of their cookies should endure or that they didn't understand the whole concept of expiration.
Of course they were working on the principle that *everyone* clears their cookie cache at session end.
I mean, why wouldn't they?
A few years ago I discovered Flash cookies on one of my machines that a friends teenage daughter had been using with a guest account to visit a teengirl magazine type site several months before. My browser settings were set to delete cookies & cache on exit so I and she obviously thought that privacy was somewhat enabled.
The aforementioned Flash cookies contained the plaintext postings she had made to that site, which concerned her lesbian relationship with another girl.
I never said anything about this to her or her Mother, and never will as I beleive I should never have had knowledge of the matter, and playing wise monkey is the best option that causes least harm.
However it did teach me a lesson to never expect privacy on a computer or the www.
.... on a simlar vain, many "private browsing" / "incognito mode" equipped browsers (particularly on android) actually are nothing of the sort, as for some reason, they still store stuff in an sqlite db, which remains even after the object is deleted.
Try running "strings" on the ".db" files after a suppposed "private browsing" session!
I've seen many time when a cookie is from what the browser believes to be a 'third-party' but is just Site-cdn.net. So from one perspective, its the same website (same owners, same operators, etc); but a third-party form another, as its a different domain.
This truly is amazing: I've skimmed the title originally, found it vaguely familiar, along the lines of "I know that guy, who could it be - some serial killer, famous hacker, or what?" and left it at that. Now in the evening, after 3-4 stiff drinks I glanced the title again and knew instantly, perfectly clearly who Batty was. Huh... weird. (Grants, anyone? Free lab rat here, as long as alcohol is involved...)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
