First: Thanks Paul K for the vert interesting post! Second: We had out of state family visitors. (Jim’s cousin and her husband, Ruth and Tim Casteen from Virginia.) Third: I am announcing a new comment policy I began testing this morning. If it causes no problems, it will become permanent. The policy is:
You do not need to accept 3rd party domain cookies. You can limit cookies acceptance to those that expire when your browser session ends. In fact, for now, you can limit accepting cookies to the one named ‘zbb_1’. (WordPress does set some other cookies as do Cloudflare and Bad Behavior. You are not required to accept those to comment.)
The motivation for my policy that requires you to eat the force-fed ‘zbb_1’ cookie is as follows:
Examining Bad Behavior logs, I noticed that quite a few bots present cookies. However the cookies they present are spoofed. That is: They were not set by my domain. For example, the bots present me with cookies with names like ‘blogger_TID’, ‘ASPX’ or ‘vbseo’. I’m guessing, but I suspect the first is a cookie name that Blogger looks at to pre-fill in comment forms, the second is something set by something running an active server page and ‘vbseo’ is set by something running visual basic and for some reason setting a “search engine optimization” cookie. Other cookies have names that suggest the ‘bot is trying to pre-fill a shopping cart.
One thing I know: I (that is my domain) didn’t set these. Given the conventions regarding cookie exchanges that means the bot shouldn’t be presenting these back to me.
Some of these bots present hundreds of pointless cookies that no real honest to goodness visitor will be putting on the ‘plate’ they would hand to me.
Seeing this, I want to come up with a strategy to catch these in ZB Block and then ban their IPs at Cloudflare. I came up with three strategies:
- If the request presents me an obviously ‘bad’ cookie name (e.g. ‘blogger_TID’) I block that in ZB Block.
- If the request presents me with more than 30 cookies, I block that in ZB Block.
- If the request presents cookies, but does not accept the cookies I set, I will block that request in ZB Block.
I’ve implemented the first two.
The third is a potentially very powerful method of catching script-kiddie bots programmed to present cookies they think will permit them to comment, but not programmed to take requests to set any cookies. (This would be very weird behavior for a browser.)
However, because I’m uncertain about the reliability of cookie setting and unsetting commands, I don’t want to do the 3rd method until after I “see” what happens if I start blocking some things that don’t accept cookies. So, in that light, today I’m forcing commenters to accept cookies (and watching my logs). As I said, if there are no big problems, I’ll continue with that policy.
BTW: Thanks BillC for being the first guinea pig. He was caught within a few minutes of my adding the block requiring people to accept cookies.
I wonder if you could also perform a public service with your new policy (or even monetize it)? Perhaps you could alert users that their computer has been hijacked by presenting a detailed explanation of what is presented at time of comment submission…
Lucia –
Guinea Pig presentation from Anteros…
Hi Lucia! This is just a test (for me) whether upon clicking “Submit!”, you would provide something I could click on that would tell my browser to accept your “zbb_1” cookie. If not, what do I do to accept it? [As should be obvious, I know very little about computers.]
Lucia,
If you’re going to force me to eat cookies… can you at least make them choc-chip cookies. π
Leigh– Your browser accepted the cookie. π
For what it’s worth, most browsers accept cookies by default. But some people get all worked up about privacy, find the various settings and set the browser to not accept cookies. If they did this themselves, they know how to fiddle to accept the cookies from my blog.
The only real difficulty arises when someone has a kid or spouse who is all worked up about privacy, sets the privacy settings to not accept any cookies. In that case, the kid or spouse knows about the cookie settings, but the person who has trouble doesn’t. (These people sometimes write me because they want to create a sock or dog sweater knitting pattern at one of my blogs and…. It can be very difficult to get them to understand when communication is by email!)
BTW: There can be good reasons to limit the number of cookies you accept. I would advise you learn how to refuse 3rd party cookies. If you use firefox I can tell you how to do that. Otherwise, tell us what browser you use and someone else can explain.
Skeptical– I could have called it chocolate chip! π
Does my browser work – through a corporate firewall? If this post is accepted, will I know?
yay! it did.
Yep. If your browser remembers passwords at newsites, you are probably accepting cookies.
You get more like Marie Antoinette every day.
Cookie, yum.
*ping*
BTW:
Everything you didn’t want to know about browser privacy and cookies.
http://en.wikipedia.org/wiki/HTTP_cookie
I did a search and no occurrance of ‘climate’ and but one non-climate use of the word ‘global’. And no reference to the thread density of fabric either. So it may be reliable.
Earl
With respect to my cookie, this made me chuckle:
If something intercepted the cookie I’m looking at, it would learn what time it is.
C is for cookie.
He stands at the free throw line. He dribbles the ball. He stops, takes a good off hand grip, slowly lifts his arms to throw, leans forward while rising to his full height, releases the ball and… watches as it sails through the air and gains height as it nears the basket, without thinking he holds his breath as it nears the rim and…
Ultimate cookie?
http://www.foodandtechconnect.com/site/2011/09/22/hilary-mason-on-hacking-the-food-system-the-story-of-the-ultimate-cookie/
MrE–
There’s no recipe!!!
Yeah, but that who would want a recipe based on probability and error bars?
The Google ranking system puts Nestle Toll House cookies on top in her post’s link, but I get a different result from Canada Google search (weird eh).
However, It’s the first time I’ve come accross a Google with recipe view link (in the post) with the check bar options google has on the left. I am very curious to try chocolate chip, walnut, no pecans, no raisins, pumpkin cookies.
http://www.google.com/search?aq=f&gcx=c&ix=c2&sourceid=chrome&ie=UTF-8&q=chocolate+chip+cookie+recipe