Note: Original article published at http://patterns.littlespringsdesign.com/ (Little Spring) under Attibution 3.0. Note, link is broken and original site no longer available.
Cookies are a popular method of preserving state and other context information, during a session or between sessions by identifying users and, sometimes, storing key data locally. Unfortunately cookie support varies across devices and carriers.
Determine whether each cookie's function can be fully or partially accomplished through the techniques below, or other techniques. If a large portion of the site has an unacceptable user experience after reducing cookie use to its minimum, then perform a cookie test on all possible site entry pages. If the cookie can not be read on the next page, advise the user of the problem. Most users can download a browser to their phone; Opera Mini runs on all Java ME devices and supports cookies well.
One simple technique is to add user identification data to the URL string and then having the user bookmark the URL string with ID.
Cookies are, somewhat rightfully, given much grief for security violations. These generally stem from placing identifying information about the user, their preferences or their history, directly in the cookie. A much better method is to place an identifying value in the cookie or URL string instead. Most personalized web services do not require authentication, but just identification. Any preferences or personal information can then be retrieved by the server based on this identifier. When the site must authenticate, the password can be requested from the user at that moment.
Authentication credentials (passwords, SSNs, etc.) should never be placed in cookies or URL strings, even encoded. The identifier string mentioned above should not be the same as any other value used by your company (i.e. phone number or account number) but a unique identifier for the cookie only.
Use for web applications when the universe of browsers is not controlled or otherwise unknown.
Many mobile browsers do not support cookies, or do not support them consistently. Some users may have cookies disabled. Other users may have cookies enabled, but their carrier or device may expunge cookies.
Users who have to enter a user name and password two to three times per session of using email will quickly stop using the service.