The Third State

We like to think of the world in terms of black and white, good and bad. Unfortunately, reality tends to be less simple. This applies even to things like computers. If you've dabbled in digital electronics, you know that many of the circuits making up a binary (two-state) computer have three states: on, off, and high impedance.

The third state frequently shows up in systems that we think are binary. For example, a binary variable in programming has three states: true, false, and not initialized. That is, if you're using a language that lets you have uninitialized variables.

Cookies

Nowhere is the oversight of the third state as obvious as in HTML cookies. Web site designers have embraced cookies as a way of keeping track of user sessions, something that's moderately hard to do with a stateless protocol like HTTP. The problem for the designers is that some people insist on using cookies to quietly gather data about consumers, so browser makers have to give the users the option of disabling cookies.

True, the browser makers appear to make this as hard as possible, without actually making it impossible. This is not that surprising, since cookies were invented at Netscape. Both Netscape and Microsoft default to having cookies enabled, so the bulk of newbie web users are having all sorts of preferences gathered by the likes of doubleclick.net. Cookie control moves around in the preferences as the programs get more complicated. Most of all, cookie control is very limited. Much more limited than a user really needs.

As it stands, cookie control in the browsers has three states: accept all cookies, reject all cookies, and ask the user before accepting a cookie. Web site designers have just about got used to the first two, and ignore the third, the most logical alternative.

Setting the browser to ask you before accepting a cookie makes most sense, given that the browser manufacturers don't allow you to automate cookie handling. Obviously, if you're at all concerned about privacy, you wouldn't set the browser to accept all cookies. Equally obviously, there are times when you want to use cookies, for example to store user details and accelerate access to a trusted site, so you can't just disable all cookie use.

The problem with using the third state, that of having the browser ask you before storing a cookie on your machine is twofold. First, the browser may not make the decision easy: Microsoft hides the confusing details about the cookie from the poor, naive user, so deciding whether a cookie is acceptable takes multiple mouse clicks. And the default is to accept the cookie, regardless of your usual response. But the big problem is the web site. Beginning web site designers embrace the cookie, intermediate designers learn to test with cookies disabled, but very few test against the third state.

Consequently, if you do set your browser to the third state, you'll find sites that slew cookies at you like a cross between a mutant cookie dough mixer and a machine gun. No sooner have you refused one cookie, than they send you another. And another. Some sites expect you to decide on twenty or more cookies. Just to view one page. Why anyone needs to use so many cookies is never explained.

Not Interested

Another interesting development is the little store that couldn't. These are web sites that are so badly written, they don't work unless you enable cookies. If you refuse to accept their cookies, they route you to a page which complains that you have cookies disabled, and sometimes helpfully explains how to set your browser back to the factory default state, as if you hadn't decided to make it more secure.

In other words, these businesses have the attitude that if you won't enable cookies, they don't want your business. Not interested. Period. This is kind of like the "no shirt, no shoes, no service" policy you sometimes see in restaurants and convenience stores, except it's more like having to agree to random drug testing to shop there.

This is just poor site design. This is one of the few areas where I disagree with Vince Emery, who encourages the use of cookies for performance reasons. I much prefer using hidden fields or encoding the session number in the URL.

One of the tell-tale signs that the web site designer didn't give much thought to anything but the first state is the poor appearance of the "enable cookies or you're out of here" page. (The other is using cute names like "peanutbutter" for the cookies, which is probably why Microsoft doesn't show them to you anymore. After all, it looks so-o-o professional.) These pages often look like an afterthought, like a "Hey, Joe, I tried the site with cookies disabled and all I got was a blank screen!" They're just a little bit of HTML, often lacking even the company insignia. That's good. Maybe the customer you just lost will forget who was refusing to do business with them.

More importantly, all these pages seem to be missing out on the opportunity for companies to determine if their cookie policy is harming their business. At best, they just tell you how to turn cookies back on. Since they don't know about the third state, they assume that if they're not succeeding in setting cookies, you must have turned them off, and not be deciding, cookie-by-cookie, if the thing gives you any benefit. How are these companies determining how many of the cookie averse visitors never come back? Well, a simple approach is just to ask. Argos, a UK catalog retailer does this. Actually, they have a weird site which works with and without cookies, but they insist on trying to get you to turn them on anyway. If you put a link on the page to allow visitors to continue their journey, you could look at your logs and determine how many follow that link.

If You're So Clever?

What would I do? I'd like to see browsers with more options for cookie handling. I'd really like to see browsers with plug-ins to handle cookies, so you can choose from an open marketplace the cookie handling that suits you best. I'd go for a program that accepted session-duration cookies as long as they're sent back to the originating server, and asked for all the rest. I'd also like a program that complained to the site's webmaster if they asked it to accept more than a user-defined number of cookies when loading a single page. So, Netscape, maybe you'd better make those plug-ins daisy-chainable.

I'd also like to encourage you, if you're a web site designer, to avoid using cookies. You don't need them, and they complicate testing. Think about it, if a user can accept or reject each individual cookie, and your web page throws ten at them, there are over a thousand different paths through web page loading that you need to test.