Nowadays a site can specify to use cookies over SSL, but even then, a site can choose not to and offer HTTP cookies over an HTTPS connection. Of course, because cookies do store data on the client and because of their implementation in browsers, a hacker might be able to steal cookie information using malicious Javascript.

Some have proposed alternative methods to using cookies to store persistent client data: hidden form fields, clever URLs passing tokens as REST queries, embedding a flash object, or even using a hidden iframe and writing ajax response text to it. But I feel like all of these proposed solutions only raise more issues.

So then left with no alternatives, I have chosen to embrace cookies when necessary and to not implement them whenever I can get around it. The specific case of having a shopping cart on a website seems to have only one good solution: storing a session ID in a cookie and send that to the server where the actual client data is stored.

Approaching the problem from a different perspective though, when a person uses a web browser, that person is given the option of turning off automatically accepting cookies, or even just rejecting third-party cookies—which I choose to do when I browse. So then there it is: I also love HTTP cookies because I enjoy using websites like Gmail which require cookies for advanced features.