How to Use Cookies, Part I

    July 8, 2003

This article describes how cookies work and ways cookies can be used for your benefit, as a webmaster, without compromising your visitor’s privacy.

The second article in this series will show how to use cookies with JavaScript. And the third article will do that with Perl CGI programs.

If you’re an experienced programmer (or brave :-), you can go directly to’s preliminary cookie specifications page. Otherwise, use it as a reference after you have more understanding about cookies and how you want to use them. The page is at

Cookies are benign text data records stored on your visitor’s hard drive. According to the specifications, the only internet site able to retrieve a cookie from that hard drive is the site that put it there in the first place.

Cookies are not programs. They are plain text data.

Cookies can not gather information on their own. The data cookies contain has been gathered by other means. And cookies can not collect personal information about your visitors from their computer.

Cookies allow your site to store information on your visitor’s computer for later retrieval.

Why Sites Use Cookies:

When your visitors surf your site, they go from page to page. Ideally, it is a smooth, continuous experience.

For your server it is not that way. During the time between when one of your visitors arrives at pageD.html and decides to click to pageR.html, there may have been dozens of other visitor browsers retrieving those same and other pages. Once your server delivers a page to a browser, it disconnects from the browser.

There is no automatic method of remembering information from one page to the next.

In many situations, using cookies is the most efficient method of remembering and tracking preferences, purchases, commissions, and other information required for better visitor experience or site statistics.

How It Works:

Your server sends some data to the visitor’s browser in the form of a cookie. (The exact format will be discussed later.) The data is plain text.

The browser may accept the cookie. If it does, it is stored as a plain text record on the visitor’s hard drive.

Now, when the visitor arrives at another page on your site, the cookie is available for retrieval. Once retrieved, your server knows/remembers what was stored.

Cookies have specific size limits:

  1. A cookie may be no larger than 4k.
  2. There may be no more than 20 cookies per domain.
  3. There may be no more than 300 cookies total from all sources.

(Note that browsers are not required to conform to those limits. They may allow more or larger cookies. However, responsible programming requires respect for the specifications.)

If your server asks a browser for cookies it may have accepted while at your site and none are available, either

  • the visitor has never been at your site,
  • the browser did not accept cookies your server offered,
  • in order to stay within the 300 cookie limit, the browser deleted your domain’s cookie(s) from the hard drive when accepting cookies from other sites, or
  • the visitor manually deleted your server’s cookie(s) from the hard drive.

What It Is:

Cookies are a plain text data record of 5 variable-length fields:

  1. expires=_______: The date the cookie will expire. If this is blank, the cookie will expire when the visitor quits the browser.
  2. domain=_______: The domain name of your site.
  3. path=_______: The path to the directory or web page that set the cookie. This may be blank if you want to retrieve the cookie from any directory or page.
  4. secure: If this field contains the word “secure” then the cookie may only be retrieved with a secure server. If this field is blank, no such restriction exists.
  5. name=value: You or your programmer determine what name to call this field and what data it contains. The name and data may be any visible plain text characters except semi-colons and commas. (To store those restricted characters or spaces, a plain text encoding method is used.) For example, “%20” (without the quotes) would represent a space in the generally accepted hexidecimal URL encoding system. No particular encoding method is required, except it must be plain text and the program decoding it must know the method used.

When your visitor’s browser accepts a cookie from your site, it stores the record in a cookie database on the visitor’s hard drive. That’s actually what a cookie is –a record in a plain text database stored on the visitor’s hard drive.

Reasons for Using Cookies:

Many shopping cart programs use cookies to keep track of items chosen for purchase. When a browser requests a page, the shopping cart program asks for any available cookies. Cookies tell the shopping cart what items are already in the cart. When a new item is chosen (or removed from the cart) the server sends an updated cookie to the browser. At checkout time, the latest cookies tell the shopping cart what items are being purchased.

Many affiliate programs use cookies to determine whether or not a visitor has previously been at the site and which affiliate earns the referral. Your visitor clicks on one of your affiliate links. S/He arrives at the your affiliate company’s site and their server sets a cookie with your affiliate number. The “expires” date in the cookie is set for whatever length of time you earn commissions on sales if/when the same visitor returns to the affiliate company’s site.

Using cookies is the most accurate method of counting unique visitors to your site. IP Address counting is not reliable. Visitors from the same proxy server are likely to have the same IP Address. On the other hand, one of the largest ISP’s (and there may be others do this, too) sends a different IP Address with every page view. With cookies you get the most accurate count.

Using cookies is also the most accurate means of calculating the average number of pages viewed by your visitors before they leave your site, what percentage are repeat visitors, and the average number of times a visitor comes back to your site.

Cookies can store visitor preferences. This is a method used by portal page sites so their visitors can customize their portal page.

If you have more than one site, you can track visitors going from site to site.

You do this by displaying an image on all pages of each of your sites, an image that is retrieved from one common domain via CGI or other method that sets and retrieves cookies and also maintains auxiliary databases on its server. The image can be a banner, a 1×1 pixel GIF, or any other image. Because the image is retrieved from one image dispensing domain (even when loading a page on a different site), the image dispensing domain can maintain a record of pages visited on multiple sites. Many banner dispensing domains use cookies this way.

This method of using cookies can be a privacy infringement if the data thus obtained is collated with other sources of information.

Some Things that Affect Cookies:

  1. 1. People sometimes share computers.
  2. Some people use more than one computer.
  3. Some browsers are set to reject cookies.
  4. Cookies can be erased.

Still, using cookies is the most efficient method of remembering and tracking.

More Information:
A page with links to excellent documentation is at:

And if you want to get started right away with Perl CGI projects, links to a nice library of cookie subroutines.

Watch for Parts II and III of this series. They will show you how to use cookies for your site’s benefit.

“WillMaster Possibilities” ezine