A study of Internet users’ cookie and javascript settings

Recently, we were interested in measuring how many users allow third-party cookies.  While we were at it, we figured we might as well measure how many would accept first-party cookies and how many would run javascript.  We got some interesting numbers that I think are worth sharing.  WRAL.com has a 50% market penetration in the Raleigh metro area, so our numbers are fairly representative of a general Internet audience.

To manage the test, I built a PHP class, cookie_test.  It is used it to inject test code into a page on your site.  It works by inserting a <script> element with a <noscript> element.  Depending on whether the user’s browser is set to run javascript, it will set off a chain of client/server interactions:

Javascript enabled

  • the script’s src is set to a PHP script on your server that sets a cookie and injects another <script> element
  • the second script’s src is also a PHP script; this script checks for the presence of the cookie.

Javascript disabled:

  • the noscript’s contains an <img> element, whose src is set to a PHP script on your server that sets a cookie and redirects the user to another script
  • the second PHP script checks for the presence of the cookie (yes, it seems that a cookie assigned with a redirection header does get sent on the subsequent request)

To test this with 3rd party cookies, you do the same thing, but you point at PHP scripts on another domain.

We ran tests on about 46,000 “users” between the hours of 14:00 and 15:00 on a Saturday.  I put quotes around “users” because of those 46,000 unique IDs we handed out, we determined that 15,000 were robots, and another 15,000 were just our load balancers checking the health of the web servers.

So we got what appears to be about 13,500 users. Of those, 85% have wide-open browser preferences: javascript, cookies, and 3rd party cookies.

About 10% seem to disable third-party cookies (this has implications for Omniture, too).  Another 3.7 percent disable all cookies.  Very few people disable javascript (funny, because Javascript is a MUCH greater risk than any cookie).

Let me explain the last table:

  • no set: unique cookie was never seen in requests for the javascript or the img files
  • no show: unique cookie was seen in requests for the first javascript or first image, but not the second
  • robots: rejected due to a known robot user agent string
  • no user agent: these requests came in with no user agent string

The “no user agent” users were our load balancers doing health checks, so we don’t include those.

A few things surprised me.  First, the amount of robot traffic was higher than I would have expected.  Second, there was a really high number of users who never made the request for the initial javascript or img files (the “no set” users).  The table above shows 3.6%, but if you take out the robots and the load balancer traffic, it accounts for more than 10% of all traffic.  Much of this traffic seems to be mobile devices and toolbar software (not sure if these user agents are just browsers with toolbars installed, or if the toolbar is making its own requests in the background).

We repeated the test a couple of times on weekdays and got similar results.  The percentage of “wide open” users was higher, though.  We get a lot of corporate traffic during the weekday, so it might be that their corporate policies require javascript to be enabled for various web-based applications they’re using.

Bottom line:  If your application requires Javascript, first-party, and third-party cookies, you’ve got about 85-90% of users with those technologies enabled in their browsers.    If you only need Javascript and first-party cookies, you’re in better shape: 95-97% of users have those technologies enabled.  If you only need Javascript, more than 99% of users have Javascript enabled.

If you’re interested in using the cookie_test class, I’ve made it available for download.  Docs on how to implement the calling scripts are included in the comments at the top.

Leave a comment

Your email address will not be published. Required fields are marked *