Ever since I understood what HTTP cookies were I’ve hated them. I do not like websites saving content on my computer without me explicitly approving. I feel like there should be alternative methods of storing persistent client data. From the start cookies have posed security issues since it is fairly trivial (for my perspective) to steal someone else’s cookie by packet sniffing.
Nowadays a site can specify to use cookies over SSL, but even then, a site can choose not to and offer HTTP cookies over an HTTPS connection. Of course, because cookies do store data on the client and because of their implementation in browsers, a hacker might be able to steal cookie information using malicious Javascript.
Some have proposed alternative methods to using cookies to store persistent client data: hidden form fields, clever URLs passing tokens as REST queries, embedding a flash object, or even using a hidden iframe and writing ajax response text to it. But I feel like all of these proposed solutions only raise more issues.
So then left with no alternatives, I have chosen to embrace cookies when necessary and to not implement them whenever I can get around it. The specific case of having a shopping cart on a website seems to have only one good solution: storing a session ID in a cookie and send that to the server where the actual client data is stored.
Approaching the problem from a different perspective though, when a person uses a web browser, that person is given the option of turning off automatically accepting cookies, or even just rejecting third-party cookies—which I choose to do when I browse. So then there it is: I also love HTTP cookies because I enjoy using websites like Gmail which require cookies for advanced features.