Cookies, P3P, and IE6

Get the WebProNews Newsletter:

[ Technology]

Since the majority of web users now use IE6, you need to understand how Internet Explorer deals with cookies.

Most sites now have (or should have) privacy policies stating what they actually do with information collected from their visitors.

But with the introduction of Internet Explorer v6.0, Microsoft introduced default browser settings, which are designed to check a Web site’s P3P privacy policy before allowing use of cookies by that site. It is therefore important that you create a P3P privacy policy for your Web site if you are collecting any information from your visitors or if using cookies is important to you.

P3P is an Internet protocol that has been designed to let users select general privacy settings that will then be enforced by software.

Under IE5, users could group Web sites into trusted, restricted, and Internet (unknown status), and set the refusal or acceptance of cookies based on these zones.

IE6 has the same basic options, but the security level you select applies only to the Internet Security Zone and there are more options. A user uses a sliding scale to select from 4 different cookie settings, which range from “Accept All” to “Reject All”. Most IE6 users will rely on P3P because it’s the default. With IE6, P3P is supposed to evaluate a site by reading a special tag that includes a summary of the site’s privacy policy.

IE6 looks for a file called p3p.xml which you can place in a directory in your root folder called w3c like this /w3c/p3p.xml. This file specifies the location of the p3p policy. For example if you click on – http://www.HTML-tutorial.org/w3c/p3p.xml you will see it is referring to the location of the privacy policy for this site.

The code in the Web site’s P3P policy decides which cookies to allow. The user’s browser compares the browser settings and matches this against the P3P in your privacy policy.

If your P3P file does not specify what cookies you are using, then there is a risk that the cookies set by your Web site may ignored by the user’s browser if the user is using the default settings, so it is important to create a P3P file and place it on your Web site.

This is also important if you make money through an affiliate program. Most affiliate programs use cookies to check who referred them to their site. You need to ensure that the affiliate program owner has a P3P policy for their site specifying which cookies are being used. If not, then if you refer a visitor using IE6 to their site, the cookie that is meant to recognize you as the affiliate, may be blocked by the visitor’s browser, and you will not get the credit for the referral.

You can find out more about P3P and how to create a P3P policy at the W3C site – http://www.w3.org/P3P/ including a tutorial on creating a P3P policy in 6 easy steps.

To see an example of how IE6 deals with cookies, if you are using IE6, select Tools > Internet Options and then the Privacy tab, and set your Privacy level to “Block all cookies”. Then browse to http://www.design-web-sites.com and have a look in the browser on the bottom right next to the status bar. You should see a red warning sign with an eye image behind it. If you double click on that it will show you which cookies are being set by this Web site. If you then change the Privacy settings in IE6 to the Medium, (or the default) and refresh the page in your browser, the warning sign will disappear. That is because there is a P3P policy defined for this site to allow these cookies.

Now click on http://www.affiliateguerrilla.com with the Privacy settings still set to Medium. On this site, 3rd party cookies are not defined in the P3P policy (at time of writing) so a warning sign will appear. Double click on the warning sign and you will the 3rd party cookies that are present on this site.

Let’s take a closer look at what cookies are and what they can do.

Cookies are actually small pieces of data used mainly by Web sites so they can store information about that particular computer such as whether or not it has visited the site before. They are storing information about the computer, not the person. They are downloaded to a user’s computer by the browser and are used to recognize users when they return to a Web site.

The cookie is stored on the user’s computer but is not a program and cannot therefore do anything to it.

A domain can only set and read its own cookies, so the cookies set by one domain cannot be read by another. A site can, however, specify the domain in setting a cookie, then any Web sites that are sub-domains of the site can also read the cookie. This is so that large Web sites that have their domains hosted on more than one server can read their cookies with all their servers.

The only instance when you would find private information stored in a cookie file would be if you personally gave that information to a Web site in the first place and it decided to put that information into your cookie file for some reason, but even then, only that site would be able to read the cookie it had written.

One of the reasons for the misconceptions about cookies is that some advertising agencies advertise through placing banner-ads on hundreds of different Web sites.

The Web sites displaying the banner ads are given code, which includes single pixel images (which are transparent) to put on their Web sites. This image allows the agency to set and read its own cookies. These third-party cookies are set so that the advertising agency can track the number of visits generated by a particular banner-ad.

However, they could also use this information to build up rich profiles of the visitors. Although they don’t have any personal information about the visitor, they can correlate the cookie ID with the type of sites that are being visited.

If then the advertising agency manages to get hold of the visitors email address it would be able to collect information about the user’s browsing habits and if it could acquire a database with names and addresses there is a chance that it could match the email address up to a name and physical address.

Almost all serious online marketers use cookies these days. To see just how many sites set cookies on your computer try and find the directory your cookies are stored in.

Although different systems store cookies in different locations, a common location on Windows machines is: C:Documents and SettingsDefault UserCookies

Our conclusion is that cookies are in fact very useful both for the Web marketer and for your visitors. Most larger websites, and nearly all online shopping carts rely on them. But if you own a website that sets cookies, you need to ensure you post a P3P privacy policy so that your cookies are not blocked by IE6 users.

Richard Igoe is the author of “The Strategy of Web Design” at, a
book on web design for the business, covering topics such as how
to create cookies, how to create a database driven site, and how
to format your site with CSS – http://www.design-web-sites.com
The author has been a web developer since 1998 and has worked
in various web design and consultancy roles.

Cookies, P3P, and IE6
About Richard Igoe
Richard Igoe is the author of "The Strategy of Web Design" at, a book on web design for the business, covering topics such as how to create cookies, how to create a database driven site, and how to format your site with CSS - http://www.design-web-sites.com The author has been a web developer since 1998 and has worked in various web design and consultancy roles. WebProNews Writer
Top Rated White Papers and Resources
  • http://www.pptse.net Susan Muffin

    Most people love homemade chocolate chip cookies including me. They’re so popular that maybe they should build a museum just for lovers of this delectable cookie. Visit pptse.net for some information about delicious cookies

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom