From: "Yanni" <jon@aggroup.com>
Date: Mon, 1 Jul 1996 15:46:45 +0800
To: Eric Murray <scott_wyant@loop.com
Subject: Re: [Fwd: Doubleclick]
Message-ID: <9606301243.AA03585@jon.clearink.com>
MIME-Version: 1.0
Content-Type: text/plain


> [short-attention-span summary:  someone's using Netscape cookies as a
> way to target-market browser users.  Since I hate being targeted, I
> came up with a hack "fix" to prevent it, see below]

Whatever.

> > >Date:    Wed, 26 Jun 1996 19:42:00 -0700
> > >From:    Scott Wyant <scott_wyant@loop.com> Subject: COMMENT:
> > >Cookie dough
> > >
> > >If you're like me, you never went to a site called "doubleclick."
> > >So how did they give you a cookie?  After all, the idea of the
> > >cookie, according to the specs published by Netscape, is to make a
> > >more efficient connection between the server the delivers the
> > >cookie and the client machine which receives it.
> > >But we have never connected to "doubleclick."

Scott must have. Navigator is very picky about where a cookie comes
from and what is put in the domain field of the cookie.

Go read about the domain field in the Cookie spec. Then, write a CGI
to play with setting/deleting cookies yourself. You will find out that
it is actually almost an art to even get a cookie set.

> > >Pay special attention to the information at:
> > ><www.doubleclick.net/advertising/howads.htm>

Maybe this scott wyant guy works for doubleclick? ;)

> > >You'll see that the folks at "doubleclick" make the point that
> > >this entire transaction (between their server and your machine)
> > >is "transparent to the user."  In plain English, that means
> > >you'll never know what hit you.

No sh*t. The cookie spec says that as well.

> > >So what's happening is, subscribers to the doubleclick service put
> > >a "cookie request" on their home page FOR THE DOUBLECLICK COOKIE.

There is no such thing as a "cookie request". It is up to the browser
to send the cookie and up to you to parse it out of the HTTP header.
There is no way that the browser is going to send the cookie unless
the domain and path matches. Go read the Cookie spec.

> > >When you hit such a site, it requests the cookie and take a look to
> > >see who you are, and any other information in your cookie file.
> > >It then sends a request to "doubleclick" with your ID, requesting
> > >all available marketing information about you.  (They're very coy
> > >about where this information comes from, but it seems clear that
> > >at least some of it comes from your record of hitting
> > >"doubleclick" enabled sites.)  You then receive specially
> > >targetted marketing banners from the site.  In other words, if
> > >Helmut Newton and I log on to the same site at the exact same
> > >time, I'll see ads for wetsuits and basketballs, and Helmut will
> > >see ads for cameras.

Whatever. What are you saying doesn't make any sense if you knew what
the heck you were talking about.

> > >If you log in to a "doubleclick" enabled site, and it sends a
> > >request for your "doubleclick" cookie, and you don't have one, why
> > >each and every one of those sites will hand you a "doubleclick"
> > >cookie.

Whatever.

> > >Neat, huh?  And you can bet they're going to be rolling in the
> > >cookie dough.
> > >Me, I edit my cookie file each and every time I go to a new
> > >site.  (Despite the dire warning at the top of the file, you can
> > >edit it with no adverse consequences.)

Whatever.

> > >Oh, and one other thing.  If you edit your cookie file BEFORE
> > >you connect to "doubleclick," and then jump around at the site,
> > >you'll notice that they DON'T hand you a cookie.  I probed the
> > >site pretty carefully, checking the MagiCookie file, and
> > >nothing happened.
> > >
> > >Until I closed Netscape.  The LAST thing the 'doubleclick" site did
> > >was....
> > >You guesed it.  They handed me a cookie.  So much for making
> > >the client-server negotiation more efficient.  (In fairness,
> > >that cookie may have been in memory until I closed Netscape -- I
> > >can't tell for sure.) Scott Wyant
> > >Spinoza Ltd.

No duh. Navigator doesn't fflush() the cookie file until you quit. It
keeps it in memory for speed.

> My own experiments shows that simply removing the cookie file (~/.
> netscape/cookies) works to "fix" this, as long as you don't have
> old netscape config files lying about (then it pops a dialog asking if
> you want to nuke the old config, and uses the old cookies file).
> Netscape (version 3.0b for Linux) doesn't recreate the cookies file.
> Of course this "fix" means that I'm not able to take advantage of
> whatever cookies might offer me, but since I can't control them and
> never see them there's probably not a lot that they do that I'll miss.

Who cares if you can't control them? They don't contain any
information that you don't already know about!

> I think that Netscape should add a configuration to the browser so
> that paranoid privacy fanatics like me can disable cookies or better
> yet control which ones that we'll accept.

Navigator 3.0 has a preference.

-jon (who has had more than enough real world experience with cookies)

Jon (no h) S. Stevens        yanni@clearink.com
ClearInk WebMagus      http://www.clearink.com/
finger pgp@sparc.clearink.com for pgp pub key
We are hiring! Check out...
http://www.clearink.com/clearink/home/job.html