Q: What is Microsoft Internet Explorer's cookie filtering feature?
Thanks to cookie filtering, Internet Explorer (IE) lets users manage and control the cookies it downloads to its file system cache -- that is, the Temporary Internet Files folder. Even though cookie filtering is a security feature that allows IE users to have a more secure web browsing experience, the filtering and blocking of cookies can also have negative side effects on the usability of certain websites. Some sites can become unusable if they aren't allowed to set cookies. This problem is a good illustration of the classic dilemma of enforcing privacy and security versus enabling usability and access.
To better understand how IE filters cookies and how a user can influence the filtering behavior, you must understand the different cookie types a browser deals with. Browsers have to deal with persistent and session cookies, and first-party and third-party cookies.
- A session cookie is a cookie that's deleted from the IE cookie cache when IE is closed; a persistent cookie can survive multiple browsing sessions: it's deleted only when the cookie reaches its predefined expiration time or when you explicitly delete it. By the way: To clear all cookies from the IE cookie cache, go to Tools, Internet Options, then click Delete in the Browsing History section on the General tab; on the Delete Browsing History dialog box, select the Cookies option.
- A first-party cookie is a cookie that's set with the same domain (or subdomain) as the one that appears in your browser's address bar. A first-party cookie is created after you type a website's URL in the browser address bar or open a URL through a bookmark or search link. A third-party cookie, on the other hand, is a cookie that's set with a domain different from the one shown in your browser's address bar. A third-party cookie isn't created by the website you intentionally navigate to, but by a website that's linked to, for example, an advertisement, image, or icon that appears on a webpage.
Users can express their cookie-filtering preferences in IE based on the cookie type and based on the URL of the website that creates or sets a cookie on the user machine. You set your cookie-filtering preferences from the Privacy tab in IE's Internet Options dialog box, which Figure 2 shows.
Figure 2: The Privacy tab of IE's Internet Options dialog box
The IE cookie-filtering settings you set from the Internet Options dialog box apply only to the cookies generated by websites that are classified in the Internet security zone. By default, the IE P3P agent accepts all cookies from websites that are classified in the Local Intranet, Trusted Sites, and Local Machine security zones and blocks all cookies of websites that are classified in the Restricted Sites security zone.
To override the IE default cookie-filtering behavior that's set with the slide bar illustrated in Figure 2 and to, for example, accept or block all third-party cookies, you can use Advanced Privacy Settings, which Figure 3 illustrates.
Figure 3: Setting cookie-handling options on the Advanced Privacy Settings dialog box
You access these settings by using the Advanced button on the Privacy tab. Note that Advanced Privacy Settings has a prompt option for handling cookies: If you enable this option, IE prompts you with a Privacy Alert each time a cookie is about to be downloaded to your machine. From the Privacy Alert dialog box, which Figure 4 shows, you can allow or block the cookie and view the cookie's properties and content. The latter option can be done by clicking the More Info button, which expands the Privacy Alert dialog box, shown in the right part of Figure 4.
I advise you to enable the prompt option, at least for a short time, simply to experience how often websites attempt to write cookies to your machine and to see the cookie properties.
You can also override the default IE cookie filtering by exempting certain web sites. This exception means that you can always allow or block cookies written by certain websites, independent of the default cookie-filtering behavior that you set on the Privacy tab. To set up exceptions, click the Sites button on the Privacy tab to open the Per Site Privacy Actions dialog box. The site exceptions you define here are overridden if the default cookie-filtering behavior (i.e., the one you set by using the slide bar) is set to either Block All Cookies or Accept All Cookies.
In Windows domain environments, administrators can also centrally enforce the IE cookie-filtering behavior on their users' desktops. To do so, use the following Group Policy Object (GPO) setting: User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings. You can learn more about managing IT through Group Policy from Darrent Mar-Elia's article "Managing Internet Explorer with Group Policy."