WebApp Sec mailing list archives
Web site cookie overload?
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 17 Jan 2005 21:59:30 -0500
Hi, I run a cookie tosser program on my Windows laptop. This program periodically deletes my Internet Explorer cookies for many Web sites that I visit. I only keep around cookies for a few Web sites like the New York Times and the Wall Street Journal because I do not want to have to keep relogging into these sites. One of the cookie tossers I run deletes most Web site cookies every few minutes. For Web sites which I go to often during the day like Google and third-party ad networks, I might look like 10, 20, or 30 unique visitors. For each visit, I am given a new cookie ID number by a Web site. Because my cookie tosser does not delete cookies right away, a Web site should see me as a real visitor because Internet Explorer will send back a cookie ID number to a Web site a few times before the cookie is tossed. What I am wondering is what will happen at high volume Web sites if a lot of folks started running the same cookie tosser that I am using. Will Web sites start breaking down because of an overload of cookies being assign to too many unique visitors? By a lot of people, I am thinking here a minimum of 10 million computer users. With a cookie tosser, these computer users might start looking like 50 to 100 million new visitors each day on high volume Web sites. Will such a volume of new visitors cause problems for some Web sites? The cookie tosser I am running is actually built into Internet Explorer. Microsoft does not really tell users about this feature and it has a terrible user interface. It requires an XML file to be created manually which instructs Internet Explorer how to handle cookies. One of the options in the XML file tells Internet Explorer to convert permanent cookies to session cookies. I turn this option on so that Internet Explorer acts as a cookie tosser. I then explicitly list in the XML file all the Web sites like the New York Times and the Wall Street Journal to prevent their cookies from being converted to session cookies. Here is documentation from Microsoft about this feature of Internet Explorer: How to Create a Customized Privacy Import File http://tinyurl.com/2ners And here is a copy of the XML file that I use to do the cookie tossing: http://www.computerbytesman.com/privacy/blocker.xml I've been running this Internet Explorer cookie tosser on and off for a year now and it works great. I have found that a cookie tosser is more effect than a cookie blocker, because some Web sites require cookies to be turned on in order to use a site. A cookie tosser will work with these sites, while a cookie blocker will not. Richard M. Smith http://www.ComputerBytesMan.com
Current thread:
- Web site cookie overload? Richard M. Smith (Jan 19)
- Re: Web site cookie overload? Nick (Jan 23)
- Re: Web site cookie overload? Griffiths, Ian (Jan 24)
- RE: Web site cookie overload? Richard M. Smith (Jan 24)
- Re: Web site cookie overload? Alexander Klimov (Jan 27)
- Re: Web site cookie overload? Nick Seward (Jan 27)
- Re: Web site cookie overload? Alexander Klimov (Jan 27)
- Re: Web site cookie overload? Griffiths, Ian (Jan 24)
- Re: Web site cookie overload? Nick (Jan 23)