Local Navigation
- S&G Home
- S&G About
- Policy
- Infrastructure
-
Technical
-
Application Development
- Audio-Video Standard
-
Barlesque Implementation
-
Barley Implementation
- Browser Support
- C++ Coding
-
Clickthrough (Go-) Tracking
- Cookies
- CSS
- Customising Content
- Database Design & Development
- Downloads
- File Extensions
-
.htaccess
- JavaScript
- Mapping
- Multimedia Plug-ins
- Perl Coding
-
RSS
- Semantic Mark-up
- XHTML Integrity
- XML
-
XSSI (eXtended Server Side Includes)
-
Application Development
- Design & Editorial
- Interactivity
- Accessibility
- Glossary
- Contacts
Cookies Standard v2.1
1 Introduction
1.1 This standard specifies the rules relating to the creation and deployment of cookies on *.bbc.co.uk and non-bbc.co.uk domains.
1.1.1 This standard does not currently apply to mobile sites. We are currently investigating how we will address cookie numbers and sizes for sites displayed on mobile phones.
1.2 The reasoning behind the rules stated here is contained in Appendix A.
2. Registering Cookies
2.1 Whenever you create any cookie, including session cookies, you MUST register it on the Cookie Wiki [
internal BBC website] and alert the Cookies Working Group.
2.2 Compliance with UK law
2.2.1 All domain cookies, and any cookies on sites aimed at children (for example, /cbbc, /cbeebies), MUST be added to the bbc.co.uk Privacy & Cookies policy page).
2.2.2 We publish an edited form of this information in our bbc.co.uk Privacy & Cookies policy page, as required by UK law (for more details, see AboutCookies.org).
2.2.3 When a site containing cookies is decommissioned you MUST notify the Editor, Standards & Guidelinesand the reference to that cookie MUST be removed from the privacy policy page.
3 Cookie Lifespan
3.1 A cookie’s expiry MUST NOT have a lifespan that is longer than its purpose. For example, if a cookie is only needed for a vote that is going to be up for a week, set it to expire after a week.
3.1.1 Cookies MUST NOT have an expiry greater than one year.
3.2 If a cookie is only needed for a session, you MUST use a session cookie.
3.3 Decommissioned cookies MUST be actively expired. That is, if a cookie is no longer required on a site due to editorial changes, for example, it MUST be expired.
4 General Cookie Size Rules
4.1 Cookie values MUST be kept as short as possible. For example, you should use a value of ‘1’ or ‘0’, rather than ‘true’ or ‘false’.
4.2 They SHOULD NOT contain duplicated data or human readable text where a reference would suffice.
4.3 You SHOULD only use human readable text where the contents are intended to be displayed as content.
4.4 Cookie names SHOULD be no more than 8 characters long.
5 Directory-Scoped Cookie Numbers and Sizes
5.1 This section refers to cookies that are only applied to a directory of the site; for example, /cbbc/. Sites in subdirectories must take into account the scoped cookies set in parent directories in any of the below calculations; for example, /cbbc/raven/.
5.2 The total size of cookies for any directory of the site MUST NOT exceed 1kb: this includes the name, value, delimiters, separators, and spacing. See Appendix A for the reasons behind this statement.
5.3 The total number of cookies for any directory of the site MUST NOT exceed 15.
5.4 You SHOULD set the scope of your cookies against the deepest directory possible. For example, if something is used in the /raven site, then the cookie should be set against /cbbc/raven/, not just /cbbc. See Appendix A.
5.5 Existing cookies (as listed on the Cookie Wiki [ internal BBC website]) that can achieve the same objective MUST be used, rather than developing a new cookie.
6 Domain Cookie Numbers and Sizes
6.1 New root-level (*.bbc.co.uk) cookies MUST NOT be created without approval of the Editor, Standards & Guidelines.
6.2 The maximum size of the proposed new cookie MUST be specified in that communication.
6.3 Global domain cookies
6.3.1 This section refers to cookies that are scoped against bbc.co.uk and not a subdomain; for example, *.bbc.co.uk.
6.3.2 The total number of root-level cookies MUST NOT exceed 15 at any given time.
6.3.3 The total size of the root-level cookies MUST NOT exceed 0.5k.
6.3.4 You MUST only use a global domain cookie if the cookie is required to work across public BBC subdomains.
6.4 Subdomain cookies
6.4.1 This section refers to cookies that are scoped to a specific subdomain; for example, www.bbc or news.bbc.
6.4.2 The total number of root-level cookies MUST NOT exceed 15 at any given time.
6.4.3 The total size of the root-level cookies MUST NOT exceed 1k.
6.5 BBC domain aliases
6.5.1 You MUST NOT set cookies against other BBC domain aliases; for example, bbc.net.uk.
7 Third-Party Cookies
7.1 The following provisions are designed to ensure that the BBC meets its Data Protection obligations regarding cookies set against non-bbc.co.uk domains.
7.2 All cookies set against non-bbc.co.uk domains MUST comply with the following:
7.2.1 The reason for using an external server (rather than a BBC server) to set a cookie MUST be provided to the Editor, Standards & Guidelines and permission to set such cookie MUST first be granted by the Editor, Standards & Guidelines.
7.2.2 The Editor, Standards & Guidelines MUST also be informed of the purpose, location (domain), lifespan, user information recorded, and BBC pages the cookies is set from. This information MUST also be supplied to the Data Protection Unit and the Cookie Working Group.
7.2.3 The cookie MUST be published on the bbc.co.uk Privacy Policy page.
7.2.4 You SHOULD also refer to and consider the contents of the Third-Party Hosting Requirements Standard in anything that sets a third-party cookie.
7.2.5 To ensure optimal operational performance is not compromised, approval for the use of the cookie MUST also be sought from the Digital Distribution group or, in the case of Journalism-related sites, from the technical architect team for Journalism.
8. Appendix A – Background & Rationale
8.1. Naming cookies
8.1.1 Clearly 5 characters is not enough to recognise the purpose of a cookie, however:
- The cookie’s purpose can be ascertained by referencing the Cookie Wiki [ internal BBC doc], as described in section 2.1.
- Namespacing on global cookies will be considered when an application to create it is received, as described in section 6.1, and can also be ensured by referencing the Cookie Wiki [ internal BBC doc].
8.2 Cookie numbers
8.2.1 Browsers generally have a limit of 50 cookies per domain. Pre-August 07 copies of Internet Explorer 6 actually have a limit of 201.
8.3 Cookie sizes and lifespans
8.3.1 Cookie information is sent by web browsers to the web server as part of every request. This currently includes CSS, image and Javascript files, so keeping cookies to a minimum has a clear effect on server bandwidth and page loading speed.
8.3.2 Our Apache server imposes an 8k limit for page-request headers, and Internet Explorer 6 specifies a 4k limit for all cookies on a domain.2 What this means in practice is that if the combined size of all the cookies for a particular URL exceeds 8k, then the server will not process pages requests to that URL, and will return an error to the user. If it exceeds 4k for an un-patched Internet Explorer 6 the cookie object is frozen and you cannot read or write any more cookies.3
8.3.3 The combined size of all cookies for a particular URL in the site hierarchy includes the cookies for that directory and all directories above it; for example, http://www.bbc.co.uk/commissioning/ will send information from all cookies for www.bbc.co.uk/commissioning/ and www.bbc.co.uk/ and bbc.co.uk. This is why we have specified limits at the global domain (bbc.co.uk), subdomain (*.bbc.co.uk) and directory (for example, /cbbc) level so that no one particular level can use up all the available cookie quotas.
8.3.4 The size of root-level cookies imposes an overhead on all pages on the site - something that we need to control.
8.3.5 See the figure below for an additional visual explanation of combined cookie sizes in a URL.
Notes
1 See Microsoft's support site. Patch released August 2007 on Microsoft's support site and Security Update's site. Result of more than 20 cookies: "If a server in the domain sends more than 20 cookies to a client computer, the browser on the client computer automatically discards some old cookies", as stated on Microsoft's support site and This Much I Know.
2 Refer to Microsoft's support site.
3 Refer to This Much I Know.
9. Document History
| Date | Version | Change | Author |
|---|---|---|---|
| 01/06/2009 | v2.1 | Restructured and updated to reflect new cookies policy | Ed Lee |
| 31/07/2008 | v2.0 | Released as version 2.0. | Victoria Jolliffe |
| 23/07/2008 | v1.2 | Added caveat to exclude mobile browsers. | Victoria Jolliffe |
| 15/03/2006 | v1.1 | Rewritten to specify new limits on cookie sizes and numbers. | Cookies Working Group |
| 15/03/2006 | v1.0 | Changes required in Tech Forum - version change to v1.0 | Tred Magill |
| 13/01/2006 | v0.13 | Provisions for 3rd party cookies. | WG, Tred Magill |
| 25/11/2004 | v0.12 | Minor updates required by Nov-04 Tech Forum for approval | Jonathan Hassell |
| 19/11/2004 | v0.11 | Small updates requiring registration of cookies to comply with EU legislation | Jonathan Hassell |
| 19/12/2002 | v0.1 | Interim standard while Cookies WG discusses a more complete standard | Jonathan Hassell |
Document editor: Editor, Standards & Guidelines. If you have any comments, questions or requests relating to this document, please contact the Editor, Standards & Guidelines.
Like all other Future Media Standards & Guidelines, this page is updated on a regular basis, through the process described on About Standards & Guidelines.
© MMIX