Testers wanted: An audit tool to find out what cookies your site uses

Are you working to get your website compliant for the new EU Cookie Directive? Or just thinking about it?

Find out what cookies your site is using

The first step in achieving compliance with the new directive is to audit your cookies – find out what cookies you are using, and what they are doing.

5 mins of your time please

We’ve  just released a very early version of a tool we’ve had built to help us audit our own cookies and those of our clients. We’d love to get your feedback.  It’s pretty crude at the moment but please have a play with it and then let us know what would make you really want to use it in the comments below – Thanks

Game On? Get testing ›

(thanks in advance)

Sample Cookie Audit Report

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

49 thoughts on “Testers wanted: An audit tool to find out what cookies your site uses”

  1. Neil Ferguson says:

    Hi Tim. Just tested your cookie tool, very useful.nWill keep a keen eye on the results you collect from the feedback on Google Analytics and whether it should be used.

    • Tim Barlow says:

      Hi Neil. I don’t think it will be a case of not being allowed to use Google Analytics but just a case of getting consent to use it. That of course is a big grey area – just how do you get consent? Are you seeking to get any websites ready for the directive?

      • Neil Ferguson says:

        Hi Tim. We have a number of websites that use GA so we are working on this also

        • Tim Barlow says:

          How do you think you will go about getting consent?

  2. Just tried running the report. Great idea. First suggestions — I think referring to ‘Unknown 1st Party’ might alarm some people. I think it would be good to add something to explain that all those ‘strictly necessary for the functioning of the site’ cookies will be grouped in here (judging from my test). I also think describing the totals as ‘cookies’ set can be a bit confusing. Some way of indicating that many of the cookies are set multiple times, eg once on every page viewed, would be helpful. Final request — provide a nice export file so that people can load it into Excel and add a column in which they can add their own explanation and level of intrusiveness.nnBut my main reaction = “thank you”. Tim

    • Tim Barlow says:

      Hi Tim. Great feedback – thank you. The unknown first party are not necessarily “strictly necessary” but good idea to revise the wording. The numbers set is already causing brain strain as to how to manipulate the data to make it meaningful – will keep thinking. And yes, a nice export would be great and is high on the priority list.

  3. Tim Banks says:

    This is a great tool and just what I’ve been looking for. I notice that the tool doesn’t recognise the domain .google.co.uk ;)nKeep up the good work!nnTim.google.co.uk3rd4You decide!sorry we don’t recognise this domain name.u00a0Please let us knowu00a0if you know what it is, especially if it’s doing something wicked.

    • Tim Barlow says:

      Hi TimnnWe’ve got a lot of work to do still in identifying cookies/writing them up. u00a0I’m quite interested in your one though. u00a0Did you remove all your cookies/close windows before starting to use the tool and what was the site? u00a0Any info would be much appreciated.nn(judging by this thread it almost appears compulsory to be called Tim to be interested in cookies)nn

      • Tim Banks says:

        Hi Tim, Yes, clearly Tim is the cookie lover’s name of choice (sorry, Neil)…Yes, I did clear cookies and close windows before running the tool. Unfortunately, I had already cleared my cookies again this morning and done some more auditing before I got your reply. I can’t now find which site it was that set the cookie from .google.co.uk I’ll let you know if it pops up again. Thanks again for your work on this tool – it’s providing to be invaluable as I’m in the process of auditing the 50+ sites that I manage in preparation for the EU directive. Like most other people, my head is firmly in the sand about Google Analytics as I’m assuming that far greater people that I will be tackling that one. Incidentally, I also see that Firefox developer tools has a useful feature that lets you block certain cookies, so you can see what breaks if they weren’t there. It’s a useful way of justifying whether certain cookies as ‘essential for the operation of the site’. Lynx also identifies cookies for you happen to be that (command line web browser) way inclined…

        • Tim Barlow says:

          Just a warning on the “essential” – just because the site breaks doesn’t mean that it would be defined as “essential” in the meaning that the ICO may interpret it as – I suspect. i.e. the features may not be 100% necessary to be able to provide the service you do. Used to make a shopping basket work – OK, used to add bells and whistles to your shopping cart, probably not OK.nnIf you are running lots of sites, please send us the list of cookies that are unrecognised frequently so we can prioritise – would be really helpful.

  4. Guest says:

    I would like if I was able to use it for a site using SSL

  5. Hi Tim,nI tried the plugin (is that what its called?) and followed the instructions which was very easy and it worked like it should I guess because it told me there was 92 cookies available, u00a0but from the report I dont know if thats good or bad. The report has a lot of information maybe an annotation on whether the user should take action to comply with the new rules might make things clearer.nnThe naughtiness figure of 3 for my page links to things like facebook twitter and flickr – what can I do about that? do I need to do anything?u00a0nnAs a self hosted WordPress user, I just go surfing for the plugins and widgets that give me the functionality Im looking for, is that now not enough? do I need to take steps to cleanse everything or do need a landing page that announces the fact that as a visitor to my site you are about to get ‘data raped’nnI hope my feedback is useful :-)nnLes BrecknellnMoviebarnnn

    • Tim Barlow says:

      Seriously useful thank you.nnIt’s called an “extension” but what does that matter between friends!nnSo yes you have to do something, what is a little unclear at the moment but step one is to create a cookie information page. u00a0Our next major step with the tool is to make that an easy process.nnDo you need a data rape landing page? That depends how safe you want to be. Such an approach has a very high chance of being compliant but as you can see from our implementation we have taken a riskier approach with view to using the defence of our cookies not being overly invasive (rather like yours)nnAs to taking steps to cleanse things, I feel there is an idea in that – a WP plugin that allows the website owner to prevent plugins from placing cookies?!u00a0

  6. Ames says:

    I don’t seem to be able to save an electronic version of the report. Can you tell me what I need to do?n

    • Tim Barlow says:

      Hi,nSorry for not getting back to you sooner. u00a0An easy way to save the report is something we want to have. u00a0In the meantime the work around is to print it as a pdf.

  7. Tom du Pru00e9 says:

    Great tool. Here’s what else I would like to see on it:n- Show cookie-like objects as well as regular cookies. I’m talking about Flash “cookies” (Local shared objects), Silverlight cookies, PIEs, DOM Storage objects. Although these are not true “cookies” they serve the same purpose and are equally covered by the EU directive.n- Saving the report as a .csv or similar would be excellent too!n

  8. Chris says:

    Great tool, really useful.nnAlthough, I did a manual audit of my site and recorded 51 cookies but the report only showed 42. Is there an accuracy issue with the tool or does it ignore certain cookies?nnA good addition would be to include a data column to show the content of the cookie to give the user an idea of what the cookie is collecting.

    • Tim Barlow says:

      Hi ChrisnnThanks for taking the time to feedback. u00a0I would be really interested to see theu00a0discrepancies so if you could email tim at attacat dot co dot uk that would be really helpful.nnRe the data column, did you look at the complete log?nnCheersnnTimu00a0

      • Chriskimpson says:

        Thanks Tim, I’ll email the comparisonnnn

  9. Hi

    Useful free service thanks.

    Single biggest improvement would be more info about what each of the cookies does (and how ‘harmful’ it might be – I know you have the column but mostly it says ‘you decide’). On it’s own the following lines don’t tell me much:

    k_visit 13 365 days
    JSESSIONID 5 Date not set
    push_time_start 13 Date not set

    thanks, Martin

  10. Attacat Tim says:

    Hi Martin

    We are going to increase the number of cookies we provide info about but the one you mention is problematic – the true purpose of the cookie is hard to tell from the info we can get. In many cases there is no option but to sit down with your developer and work out what they do.

    Thanks for the feedback though – certainly we will look at what we could do to provide more explanation – even if it is just to arm the non-technical with intelligent questions to ask their developer.

  11. GeraintW says:

    Hi Tim, looking at your tool, a feature that would be useful is whether the Secure and httponly flags have been set and also the current value/

  12. Dan says:

    FYI, your plug found .search.keywordblocks.com and didn’t know what it is, it’s from media.net…a lame ad provider I am about to drop…

  13. Hazrd says:

    Can you add functionality that will allow showing a list of all unique cookie names. The full log is nice but most cookies on our site are just repeated on every page. What i really need is a unique list of all the names and id rather not have to go through the 16 page log to find them all. The list of 1st party cookies is nice but does not have all of them.

  14. Attacat Tim says:

    Hi Hazrd

    Interesting. The full list of uniques should be provided. Could you please send me details through our contact form. Cheers Tim

  15. Chris says:

    Hi,

    The tool identified a cookie coming from .shareaholic.com but doesn’t know what that is. Shareaholic is a WordPress plugin that lets you share posts on services like Twitter, FB, G+, Stumbleupon etc.

    Thing is, I can’t work out why it’s there! I deactivated that plugin and deleted the files but the cookie keeps coming back. More investigation required :)

    • Attacat Tim says:

      Hi Chris,

      Thanks for this. We will shortly be doing an update to our cookie database so will ensure this is added to the list. Always interested in other as yet unidentified cookies. Also interested to hear about how you get on with purging shareaholic cookies.

      Cheers

      Tim

  16. Brian says:

    To start with gites.eu is a website that advertises holiday lets throughout Europe. As I am registered with them and advertise my holiday let through them I have added their availability calender as a widget on my site. So visitors to the website can see if the property is available. Pretty innocuous really and http://www.gites.eu is the same site, probably didn’t need to say that. But that is from what I can see the only way they got a cookie on my site.

    It would seem all the cookies on my site either come from Google Analytics, Google Adsense (I am assuming that is the Doubleclick cookie) or in fact the above mentioned Gites.eu.

    I wasn’t really sure what your 2nd column 1st? refers to and when I went to the detailed report the columns were all completely different anyway, so how do you relate the summary report to the detailed report?

    Might be me, but I think that the 2 reports should follow the same format for continuity, but I did like the fact the 2nd report actually told me what page(URL) the cookies were located on.

    That said no mention of Doubleclick, my worst offender, on the detailed report i.e. when I saw the page listings I thought aah now I can see what page Doubleclick is actually on. But unfortunately not, having Googled it however I found that Doubleclick was a Google aquisition. Now is that a double edged sword or not?

    Anyway hope my comments help and that I am not missing anything obvious.

    I really would like to conform to the directive on all my websites, but what I am thinking right now is that affiliate marketing is practically doomed unless I just go to standard text links on everything so that advertisers can’t sneak in unwanted cookies and an opt out on Google Analystics renders it completely useless due to incomplete information. Or is it just me?

    • Attacat Tim says:

      Hi Brian

      That’s really fantastic feedback, thank you! We will look at how we can improve the consistency between reports as part of the next release.

      Affiliate marketing is being really challenged by this directive – personally I feel any genuinely compliant solution for typical sites is likely to have a major impact on affiliate tracking (and as a result most sites will opt for a solution that isn’t compliant). It is something though that I’m going to be looking into the detail of in the coming weeks.

      Thanks again. Tim

    • Attacat Tim says:

      P.S. Brian – I meant to say that DoubleClick should have been picked up so I’ll have to look into that.

  17. Chris says:

    Any time, Tim. It turned out my site was serving up a cached page (I use it to reduce CPU load on dynamically generated pages). Once I had flushed the cache the shareaholic cookie disappeared.

  18. Brian says:

    Hi Tim, I did think it was a bit odd that DoubleClick was at the top of the summary report and not mentioned in the detailed report. I also forgot to say that the ShareThis widget also uses cookies, but then they do track visitors much the same as Analytics so no surprise really.

    You didn’t say what 2nd column ‘1st?’ refers to on the summary report, perhaps this is something I should know, but I am still scratching my head on what it means?

  19. Attacat Tim says:

    Hi Brian

    1st? refers to whether they are first (i.e. associated with your domain) or third party (associated with someone else’s domain) cookies.

    Some people (incorrectly) think 1st party cookies are exempt from the legislation so this is why we include it. Actually it is what the cookies are used for that is important so the column is academic really.

  20. Brian says:

    Ok thanks, I knew it was going to be something pretty obvious when I found out.

  21. Tom says:

    Hi there,

    Just tested the tool on a website for my band (site is about a year or so old, has been done quite shabbily and contains very out of date info!), and it seems useful.
    Just to let you know, one of the sites linked on our page that came up ‘unknown’ in the report is a site called Big Cartel. This is a website that allows people to set up online stores, through which people can buy products via paypal or, I believe, normal card payment. I’m not sure as to their ‘naughtiness’, but they seem ok to me.
    I was wondering though, all of the cookies picked up on my site were 3rd party, there did not appear to be any 1st party cookies. The 3rd included facebook, twitter and google… Does this pose a risk to me at all? I’m not sure whether the law dictates that I can be held responsible for cookies gained from sites that are linked on my own; in particular google, as this was via youtube videos embedded on the page. Any advice would be very much appreciated! Thanks for creating this tool and making it available.
    Tom

  22. Attacat Tim says:

    Hi Tom

    You are responsible for third party cookies so there is a risk. Assessing that risk though has to include deciding how likely it would be that the ICO would come after you first or the third parties. We do describe third party cookies in our privacy policy and take a view that we do need to get consent from our visitors. How we define what consent is though is where our approach may or may not be compliant.

    I don’t know much about Big Cartel and part of your audit may be to send a request to them asking what they use cookies for. Odds are that they will use cookies that should be addressed under the law. Whether they would score 2, 3, 4, or 5 on our scale I couldn’t say.

  23. Russell says:

    Thanks for this tool. I find it really useful. It doesn’t recognise the cookie from .a2a.lockerz.com or just lockerz.com. This is placed by the popular ‘Add to Any’ social sharing tool.

    • Attacat Tim says:

      Hi Russell

      Thank you for that, I’ve just added it to the database of the new version which will be launching soon with extra functionality. If you (or anybody else) would like to test it please email christie at attacat dot co dot uk Thanks again

  24. Glenn says:

    Thanks very much for this tool, very useful, especially when you consider that most other tools don’t allow for 3rd party cookie collection, which is arguably more important than 1st party cookies.

    If I could add something to my wishlist, it would be the ability to list the cookies that are used on the site, with a column that shows which pages they were collected from. This would allow for a smaller, succinct list to be shown, making it simpler for developers to audit a site.

    • Attacat Tim says:

      Hi Glenn

      Nice idea. I think the approach we will take with this is to create a csv output that you can then slice and dice as you like. Would that meet with approval?

      Thanks

      Tim

  25. Glenn says:

    Hi Tim,

    Thanks for the response.

    I think the csv idea is a good one, but for me, replacing the currently list of cookies per page visited, to me, seems a little overkill. Assuming I’m an average user wanting a site audit, I think it would be more valuable to see all of the cookies listed, with the pages beside. If the csv is provided similar to how the page is laid out, trying to filter it down may still prove interesting.

    Thanks for the plugin, it goes a long way to helping.

    Cheers.

  26. Attacat Tim says:

    That’s good to know, thank you.

  27. Big Derek says:

    I had what appeared to be a problem during installation i.e. found tool via Firefox opened existing Google chrome copied URL got to page with blue attach button and clicked it. “CHECKING” was displayed for 10 minutes. Redisplaying page showed the tool was installed so I suspect something got lost that indicated installation completion had occurred. That could confuse a user who has created a web site from tools who has no knowledge of HTML and the scripts that could be inside it that create cookies.

    I was really trying out the tool on behalf of users who have used tools without HTML knowledge to create web sites as there are probably a number of them in the Ramblers groups across the UK. Having tweeked most of the pages in Frontpage’s HTML editor I was not expecting to find any cookies in the report from the site I maintain but did wonder what would happen if I used any of the numerous links to other sites. The overview report which does not distinguish between cookies from the site and ones resulting from following links could frighten an inexperienced web site developer. Making the web site source of cookies clear and adding a bit of text about the difference is important for non-tech users.

  28. Big Derek says:

    I tried the audit tool on a site produced by somebody else using a tool produced by Serif i.e. http://www.southdorsetramblers.org.uk. The tool shows another site being contacted when the contact webmaster page is used (http://www.serifwebresources.com/util/audio/audio.php?lang=). The sequence appeared to show other sites being contacted and some other site cookies being recorded when I messed up a ‘check its a human facility’ by mistyping the displayed word. I have no idea how this situation stands with regard to the new rules.

  29. Attacat Tim says:

    Hi Derek

    Thanks for you comments. I’ll try to address various points.

    1. Sorry you had install problems. It’s not one I’ve seen before or been able to reproduce. Have you seen the problem again?
    2. Re following links to other websites. The tool is not designed to cover this as you are only responsible for the sites you set cookies on. Hopefully that covers what you were suggesting?
    3. Re the check its human facility, South Dorset Ramblers does have a responsibility for cookies set by third parties on their site of which this is one. This is very common – sharing buttons, embedded videos etc all place third party cookies too. You therefore as a minimum should reference it in your cookie information page

    Cheers

    Tim

  30. Big Derek says:

    Hi Tim,

    Re point 2 I am not the webmaster for the South Dorset Ramblers web site. Your cookie audit tool has enabled me to the webmaster hat the site contact page access another site. He was unaware of this because he has no understanding of the HTML & code that the tool he uses produces. Neither would a user unless they have set up to record using the tool. I suspect you have not thought of people other than webmaster/editors using the tool. There are probably other web site creation tools hat do this. Perhaps you should be including something like “Some web site creation tools may be creating cookies or referring to other web sites without you knowing and the audit tool an help you find out” in he audit tool description.

    I’ve tried audits on more than one site but saving them only keeps the last one, presumably because you were not expecting multi-site use.

    Regards

    Derek

  31. Attacat Tim says:

    Hi Derek

    Really useful ideas and feedback thank you. I’ve updated the landing page copy along the lines you suggested and will all saving of multiple reports to the wish list.

    Cheers

    Tim

  32. Mark says:

    Hi Tim, I tried out the tool today, looks great – thanks.

    However, I couldn’t get the cookie log page to work – it came out with this error:

    Warning: Invalid argument supplied for foreach() in /home/attacook/public_html/log.php on line 31

    I hope this helps track it down :)

    Yours faithfully,
    Mark

    • Christie says:

      Hi Mark,

      Hope you got to the bottom of this after our emails. Did running the tool without any other windows open help at all?

      Kind regards,

      Christie

Like the Brain? Sign up for the packed-full-of-tips monthly newsletter