Future Media Standards & Guidelines

Cookies Standard v2.4

1 Introduction

1.1 This standard specifies the rules relating to the creation and deployment of cookies alL shared objects (aka Flash cookies) on *.bbc.co.uk and non-bbc.co.uk domains.

1.1.1 This standard does not currently apply to mobile sites. We are currently investigating how we will address cookie numbers and sizes for sites displayed on mobile phones.

1.2 This standard applies to all BBC websites (including mobile sites) and third party cookies and embedded scripts. Random audits of cookies across bbc.co.uk are performed and cookies that do not meet with the requirements of this technical standard and/or sign-off requirements may be deleted.

2. Sign-off and Registeration of Cookies

2.1 Whenever you create any cookie, including session cookies, you MUST register it on the Cookie Wiki [Internal BBC website internal BBC website] and alert the Cookies Working Group.

2.2 Compliance with UK law

2.2.1 All domain cookies, and any cookies on sites aimed at children (for example, /cbbc, /cbeebies), MUST be added to the bbc.co.uk Privacy & Cookies policy page).

2.2.2 We publish an edited form of this information in our bbc.co.uk Privacy & Cookies policy page, as required by UK law (for more details, see AboutCookies.org).

2.2.3 When a site containing cookies is decommissioned the reference to that cookie MUST be removed from the privacy policy page.

Top of page

3 Cookie Lifespan

3.1 A cookie’s expiry MUST NOT have a lifespan that is longer than its purpose. For example, if a cookie is only needed for a vote that is going to be up for a week, set it to expire after a week.

3.1.1 Cookies MUST NOT have an expiry greater than one year.

3.2 If a cookie is only needed for a session, you MUST use a session cookie.

3.3 Decommissioned cookies MUST be actively expired. That is, if a cookie is no longer required on a site due to editorial changes, for example, it MUST be expired.

Top of page

4 General Cookie Size Rules

4.1 Cookie values MUST be kept as short as possible. For example, you should use a value of ‘1’ or ‘0’, rather than ‘true’ or ‘false’.

4.2 They SHOULD NOT contain duplicated data or human readable text where a reference would suffice.

4.3 You SHOULD only use human readable text where the contents are intended to be displayed as content.

4.4 Cookie names SHOULD be no more than 8 characters long.

Top of page

5 Directory-Scoped Cookie Numbers and Sizes

5.1 This section refers to cookies that are only applied to a directory of the site; for example, /cbbc/. Sites in subdirectories must take into account the scoped cookies set in parent directories in any of the below calculations; for example, /cbbc/raven/.

5.2 The total size of cookies for any directory of the site MUST NOT exceed 1kb: this includes the name, value, delimiters, separators, and spacing. See Appendix A for the reasons behind this statement.

5.3 The total number of cookies for any directory of the site MUST NOT exceed 15.

5.4 You SHOULD set the scope of your cookies against the deepest directory possible. For example, if something is used in the /raven site, then the cookie should be set against /cbbc/raven/, not just /cbbc. See Appendix A.

5.5 Existing cookies (as listed on the Cookie Wiki [Internal BBC website internal BBC website]) that can achieve the same objective MUST be used, rather than developing a new cookie.

Top of page

6 Domain Cookie Numbers and Sizes

6.1 New root-level (*.bbc.co.uk) cookies MUST NOT be created without approval.

6.2 The maximum size of the proposed new cookie MUST be specified in that communication.

6.3 Global domain cookies

6.3.1 This section refers to cookies that are scoped against bbc.co.uk and not a subdomain; for example, *.bbc.co.uk.

6.3.2 The total number of root-level cookies MUST NOT exceed 15 at any given time.

6.3.3 The total cumulative size of all root-level cookies MUST NOT exceed 0.5k.

6.3.4 You MUST only use a global domain cookie if the cookie is required to work across public BBC subdomains.

6.4 Subdomain cookies

6.4.1 This section refers to cookies that are scoped to a specific subdomain; for example, www.bbc or news.bbc.

6.4.2 The total number of root-level cookies MUST NOT exceed 15 at any given time.

6.4.3 The total cumulative size of the root-level cookies MUST NOT exceed 1k.

6.5 BBC domain aliases

6.5.1 You MUST NOT set cookies against other BBC domain aliases; for example, bbc.net.uk.

Top of page

7 Third-Party Cookies

7.1 The following provisions are designed to ensure that the BBC meets its Data Protection obligations regarding cookies set against non-bbc.co.uk domains.

7.2 All cookies set against non-bbc.co.uk domains MUST comply with the following:

7.2.1 The reason for using an external server (rather than a BBC server) to set a cookie MUST be provided to the Editor, Standards & Guidelines and permission to set such cookie MUST first be granted by the Editor, Standards & Guidelines.

7.2.2 The Editor, Standards & Guidelines MUST also be informed of the purpose, location (domain), lifespan, user information recorded, and BBC pages the cookies is set from. This information MUST also be supplied to the Data Protection Unit and the Cookie Working Group.

7.2.3 The cookie MUST be published on the bbc.co.uk Privacy Policy page.

7.2.4 You SHOULD also refer to and consider the contents of the Third-Party Hosting Requirements Standard in anything that sets a third-party cookie.

7.2.5 To ensure optimal operational performance is not compromised, approval for the use of the cookie MUST also be sought from the Digital Distribution group or, in the case of Journalism-related sites, from the technical architect team for Journalism.

Top of page

8. Appendix A – Background & Rationale

8.1. Naming cookies

8.1.1 Clearly 5 characters is not enough to recognise the purpose of a cookie, however:

  • The cookie’s purpose can be ascertained by referencing the Cookie Wiki [Internal BBC document internal BBC doc], as described in section 2.1.
  • Namespacing on global cookies will be considered when an application to create it is received, as described in section 6.1, and can also be ensured by referencing the Cookie Wiki [Internal BBC document internal BBC doc].

8.2 Cookie numbers

8.2.1 Browsers generally have a limit of 50 cookies per domain. Pre-August 07 copies of Internet Explorer 6 actually have a limit of 201.

8.3 Cookie sizes and lifespans

8.3.1 Cookie information is sent by web browsers to the web server as part of every request. This currently includes CSS, image and Javascript files, so keeping cookies to a minimum has a clear effect on server bandwidth and page loading speed.

8.3.2 Our Apache server imposes an 8k limit for page-request headers, and Internet Explorer 6 specifies a 4k limit for all cookies on a domain.2 What this means in practice is that if the combined size of all the cookies for a particular URL exceeds 8k, then the server will not process pages requests to that URL, and will return an error to the user. If it exceeds 4k for an un-patched Internet Explorer 6 the cookie object is frozen and you cannot read or write any more cookies.3

8.3.3 The combined size of all cookies for a particular URL in the site hierarchy includes the cookies for that directory and all directories above it; for example, http://www.bbc.co.uk/commissioning/ will send information from all cookies for www.bbc.co.uk/commissioning/ and www.bbc.co.uk/ and bbc.co.uk. This is why we have specified limits at the global domain (bbc.co.uk), subdomain (*.bbc.co.uk) and directory (for example, /cbbc) level so that no one particular level can use up all the available cookie quotas.

8.3.4 The size of root-level cookies imposes an overhead on all pages on the site - something that we need to control.

8.3.5 See the figure below for an additional visual explanation of combined cookie sizes in a URL.

Cookies allowances by domain on bbc.co.uk


1 See Microsoft's support site. Patch released August 2007 on Microsoft's support site and Security Update's site. Result of more than 20 cookies: "If a server in the domain sends more than 20 cookies to a client computer, the browser on the client computer automatically discards some old cookies", as stated on Microsoft's support site and This Much I Know.

2 Refer to Microsoft's support site.

3 Refer to This Much I Know.

Top of page

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.