Saturday, April 03, 2004
proper use of cookies

Wal-greens has bad web application designers running its site. For some foolish reason, they store your search parameters in a cookie instead of embedding it in URLs or forms. Even though it is obvious why that is a terrible idea, I'm going to list the reasons anyway:

  • Not everyone has cookies enabled - So if you don't have cookies, don't bother using the site.
  • Cookies are global throughout a browser; i.e., set it for one window/tab, and it's set for all of them - As a result, you can't have two different searches in two different windows at once. If you try, your second search will blow away your first search.
  • Cookies are per-machine - You can't send someone else a page of search results; you have to send them instructions: "Go to the Walgreens website and search for 'loratadine.'" That's ridiculous.
    • .
To the extent that it is possible, store the parameters of a page in the page. Generally, you should make the next/previous navigators be simple links with a parameter indicating if you want results 1-10 or 30-40. It's acceptable to make next/previous navigators be form submission buttons with the forms populated with hidden form elements indicating the same, but only if you want to make it hard to link to your results (there are legitimate reasons for this). Page state should be stored in the page. Application state can be stored in cookies, but even then, 95% of the time, you're better off using your web application platform's session handler and putting it there. Cookies are useful primarily as a convenience measure (like saving logins from session to session, or saving preferences if you don't require a login like Google does) and as a security enhancement, when you want to make sure that the application state is non-portable. That's of limited utility, though, since you an embed a client IP in a session to make sure that a user can't hijack another user's session. That's only a possibility when the client IP is the same for both victim and attacker, such as behind a proxy or IP masquerading. Phew. That was fun.

¶ 706 Posted at 04.20 AMNo Comments ( web )