Explanation of what cookies are all about

The world wide web allows programs like your web browser to request files (such as web pages and images) from web servers without having to log in. This anonymous access is a fantastic idea because it makes retrieving information on servers all over the world very quick and easy.

However, the other side of this is that there is no way for a web server to tell if two requests are coming from the same place. That means that a site cannot remember anything for you such as preferences or pages you have already viewed and cannot keep track of things like shopping baskets.

In an ideal world the server should be able to remember you from one request to the next so that it can behave in a consistent manner, without needing you the visitor to provide any information.

The solution is a "cookie". A cookie is simply a serial number that the server generates and passes back with a web page. When your web browser asks for another page, it also passes the cookie back and the server will know that this is the same browser that asked for the previous page. Web browsers only ever pass a cookie back to the web site that gave them the cookie in the the first place.

So all a cookie does is allow a web server to know that several page requests all came from the same web browser.

Sometimes a site will use one cookie to remember lots of things it is doing for you and sometimes it will use several different cookies to remember different things.

So why could cookies be a security risk?

One reason cookies could present a risk is if they hold information that has any meaning. For instance, if a web site wants to remember some personal information like your credit card number, it should hold the number securely on the web server and pass a serial number back to you as a cookie. When your web browser returns to the site, it passes in the "meaningless" cookie and the web server can used this to look up your saved credit card number.

If however, the web server put your credit card number in the cookie, then the number might be passed across the internet in a non-enrypted format and it would also sit on your computer hard disk and it could be "discovered" by other malicious programs on your computer.

Almost all web pages these days have parts that come from different web servers. Things such as banner adverts or web stat counters, often do not come from the same server as the main page. When things like banners are served on different sites the banner supplier is able to use their cookie to detect that the same user has visited several different sites. It does not enable them to tell who that visitor was but it does potentially allow them to follow the paper trail of sites visited.

Since cookies are used to hold state information for a user at the server and since part of the state that is being tracked could be "logged-in" status, the cookie becomes a sort of pass key. If a malicious party got hold of the cookie then they could use it to access private information. This risk can be minimised by creating a new cookie for each session which would render the old cookie value useless as soon as the user logs out.

Should you be worried about cookies?

Like everything in life there are risks, but some sensible basic steps will make use of cookies pretty harmless. Cookies in themselves do not make you vulnerable. At worst they can only expose data that you have provided to a site.

If a site has demonstrated that they are handling cookies and security responsibly then there should be no reason to worry about those cookies. Also, if you are not providing personal information to a site then accepting their cookies will not open you to undue risk.

Most web browsers have an option to allow you to "refuse cookies that are issued from sites other than the main page" or "only accept cookies from sites you navigate to" which will prevent banner ads and other elements from other sites from leaving cookies which could allow any cross site profiling.

Where cookies are used for secure sessions such as when you use on-line banking, it is a good idea to ensure you use their log out link so the web server knows you are finished and then to quit your browser so that the browser will dispose of any temporary cookies.

With these measures, one should not have to worry unduly about security and privacy risks associated with cookies.

Bristolstreets.co.uk cookie use

When connecting to bristolstreets.co.uk a cookie called BST_SESSION is created which tracks the current session. This is a temporary cookie and is deleted by your browser when you quit the browser. It is used to maintain the current state such as filter settings and which layer is being displayed to create the normal site user experience.

Bristolstreets.co.uk also creates a cookie called BST_BROWSER which is a cookie that remains in the browser for six months after accessing the site. It is renewed each time you visit the site with the same browser. This allows the site to identify a visitor returning from the same browser. This is done so that the list of markers visited and preferences for filters can be preserved from one session to another automatically without requiring a user registration.

Bristolstreets.co.uk also creates a cookie called BST_LOGGED_IN which simply holds a value to indicate whether you are signed in or not. If your session on the server has timed out (i.e. you have not accesses the site for fifteen minutes or so since signing in) the site can use this cookie in conjunction with the others to automatically keep you logged in when it starts a new session. To you this just means you do not get an annoying "Your session has timed out" message.

To help analyse trends in visitors statistically two web statistics services are used. The first is statcounter.com to analyse traffic to the site. Statcounter has a clearly stated privacy policy and leaves three cookies to track session and unique visitors.

The second statistics service is Google Analytics which creates a couple of cookies beginning with string "_utm" which are first party cookies. This means they are created in connection with the Bristolstreets.co.uk domain. We trust Google and hope you do to.

Eventually one of these stat counters will be removed but at the moment it is hard to tell which one is more useful.