Cookies, Part 1
Eric Moore, CUGG
I gave a short presentation on the subject of cookies at the October 2007 meeting of CUGG. Although I covered the basics that every computer user should now, time did not permit me to explorer the topic deeply to address specific examples of how to manage cookies with today's web browsers. This article, the first of two parts, will serve as a follow-up to my presentation, covering the topic in greater detail and providing links to online resources for more information. Part 2, to be written for a future edition of Random Access, will provide detailed information relating to cookie management in four popular web browsers: Internet Explorer, Firefox, Opera, Safari.
Much of the material in this article is a paraphrase in my own words of a full-length Wikipedia article on the topic of HTTP cookies. All credit is due to the Wikipedia contributors, unless otherwise noted.
What Is a Cookie?
An HTTP cookie, web cookie, or simply cookie, is a bit of arbitrary text data that is shared between a web server and a web browser. A cookie is stored on the user's computer in a text file known as a cookie file. The specifics of where cookies are stored differ between browsers. Internet Explorer creates a separate text file for every cookie while Firefox maintains a single text file for every cookie it receives. Ideally, a cookie can only be returned to the same server that created it or by a server on the same Internet domain as the originating server. Most cookies will expire after a certain time. Some expire as soon as the browser is closed. Other cookies are persistent, in that they may be retained for days, weeks, or even longer.
Cookies were first introduced by Netscape in 1994 for implementing a virtual shopping cart. Before the introduction of cookies, web transactions between a web browser and a web server were usually stateless. When transactions are performed in a stateless manner, the web server cannot distinguish whether a series of requests for one or more web pages are made by the same user. As far as the server is concerned, every request for a page could come from a different user. As such, no provision can be made to personalize the data sent to the user or to readily authenticate who has the right to view information of a private or personal nature.
By creating a cookie with a unique, arbitrary numeric identifier and sending it back to the user's web browser, the server can then request the cookie back whenever the user requests a page from the server. Based upon the unique identifier, the server can then respond dynamically to the user's request. For example, if Mary successfully logs into her online banking account, the server will return a cookie to authenticate her. As long as she remains logged in (and the cookie is not deleted), Mary will be able to easily move from one page to the next as she checks her account balances, transfers funds between accounts, downloads her monthly statement, and performs other actions. The cookie also ensures that Mary can only access her information and not someone else's.
What Purposes are Cookies Used For?
As mentioned in the previous section, cookies can be used for authenticating a user who has logged into a site and restricting her access only to information associated with her account. Other functions for cookies are web site personalization and virtual shopping carts. In the case of site personalization, the user may choose how the site is to be displayed. Such options can include displaying the site in a particular language, emphasizing certain content such as news feeds, laying out the information in a particular way. An example for Google is that the user may elect to view the page in a foreign language and view the results of a web search thirty items per page. CNN gives the user an option to view either the U.S. or international edition of its news site. In each case, the web server "knows" what the user expects to see because of the information saved on the user's computer in a cookie file.
When shopping on a web site such as Amazon.com or NewEgg.com, every item the user adds to the virtual shopping cart is recorded in a cookie file and referenced by a unique ID. This way, the server can request the cookie file each time the user switches between pages, in order to maintain a current summary of what is in the user's shopping cart and the running total. The shopping cart may even persist between browser sessions, so the user can shut down the computer one day and then revisit the site another day to continue where she left off.
Another use for cookies is web site tracking. Some companies create cookies in order to gather data about users and their browsing habits. Such cookies are known as third-party cookies, as they are created by a foreign server as a side-effect of viewing another entity's web page. For example, a web site (the first party) may display banner ads or pictures for another company (the third party). Each ad or picture may be hosted on a different server than the one that hosts the main web page. When the web browser sends a request to the third-party servers to download the ads and pictures, cookies are created and stored on the user's computer. Each picture may be associated with a unique cookie, thus enabling the third party to detect which web sites or pages have been viewed by the user.
The data in third-party cookies can be used for demographic analysis or to create targeted advertisements based upon the particular sites and web pages that a user visits. Although the collection of such data is done anonymously, it is still of concern to some users who would prefer to maintain some anonymity when browsing the web. I will discuss more in this regard later in this article.
Although cookies are harmless by themselves, they can be used or exploited to undermine a user's privacy. As previously mentioned, tracking cookies are used for collecting data about a user's browsing habits. Since tracking cookies are anonymous in nature, their negative effect on the user is minimal. To paraphrase Douglas Adams, author of The Hitchhiker's Guide to the Galaxy, cookies are "mostly harmless."
On the other hand, a more insidious problem does exist—cooking hijacking. Cookies may be captured by an unauthorized person and used to impersonate a victim in order to gain access to personal information such as a bank account. Cookie hijacking may be accomplished by means of packet sniffing, where a person uses software to capture the cookie data as it travels across a network. Although the originating web servers can mitigate the threat by encrypting the cookies they generate, not all do so.
Another method by which unauthorized access to cookies may be accomplished is by means of cross-site scripting. Older versions of some browsers had security flaws that made it possible for one web server to access the cookies created by a foreign web server. Your best defense against this threat is to use a modern web browser such as Internet Explore 7 or Firefox 2.0 and keep it up to date. More on the subject of updating your web browser will be covered in Part 2 of my article.
Problems with Cookies
In addition to the aforementioned privacy concerns, cookies have other potential problems. Cookies are stored in cookie files on the hard drive, so they do take up space that could otherwise be used for storing more useful data. All browsers provide means for managing cookies, as I will explain in the next section.
Cookies may contain inaccurate data. For example, if Ron logs into his home computer and visits NewEgg to shop for a new computer, any items he places in his shopping cart remain on his home computer. If he subsequently shops NewEgg's website from his work computer, a different shopping cart will be created and will not reflect what items he selected while using his home computer. Likewise, the cookie data is not shared between browsers, so anything in his added to his shopping cart while use Firefox will not be visible when using Internet Explorer.
In another example, if Ron, Dick, and Jamie share a Windows 98 computer, which does not support separate users accounts, and each uses the same web browser, all cookie data for the three users will be intermingled. This could create anything from minor inconveniences in the case of a shared shopping cart for NewEgg, to privacy concerns should one person choose to have himself auto-logged into his banking site. The best solution is for each user to use a separate computer or for the three users to use a newer operating system such as Windows XP, Windows Vista, Mac OS X, or Linux. When each user has his own separate account, then each one's cookies remain private and separate from the other users' cookies.
Web browsers provide users the means of managing cookies, from deciding which cookies to accept and which to reject to choosing when they should be deleted. The particular features vary between different brands of web browsers and even between different versions of the same browser. I will cover in greater detail in Part 2 what options are available in the most popular browsers. To summarize for now, among the options that may be available are:
Accept all cookies
Deny all cookies
Deny third-party (tracking) cookies
Prompt the user before accepting a cookie
Maintain whitelists for trusted web cookies and black lists for untrusted cookies
Set the cookies to expire automatically, say at the end of a browser session
Delete some or all cookies on demand
Treat cookies based upon their Platform Privacy Preferences (P3P) privacy policies
The follow are just some of the available resources on cookies. Many more are available. For information on third-party utilities for managing cookies, you can search popular download sites such as tucows.com, Download.com. You can also find reviews of useful cookie tools and information on the websites for PC World and PC Magazine.
|Wikipedia article on HTTP cookies||A detailed, though sometimes technical discussion on cookies, how they are used, and their risks|
A page with numerous links to information on cookies, privacy concerns, and other resources
|Microsoft's Information About Cookies||A short Q&A on the subject of cookies and how to manage them with Internet Explorer|
|Discusses the inadequacies of cookie management and privacy protection in Internet Explorer 6|
|Block Spying Cookies, but Keep the Helpful Ones||PC Magazine article on how to manage cookies in Internet Explorer and Mozilla Firefox|
|Identify Tracking Cookies in Firefox||PC World article on how to identify third-party cookies in Mozilla Firefox|
||PC Magazine article with a definition of a cookie, privacy concerns, and configuration settings for managing cookies|
|Cookies and PIE
||PC Magazine article on how a Macromedia Flash technology called a local shared object can circumvent privacy protection achieved through deleting cookies|
|Find the Cookies folder in Vista||PC Magazine article on how to find Internet Explorer's cookies folder in Windows Vista|
|Respect Privacy or Else!||PC Magazine article that explains the P3P technology that allows web site visitors to make informed decisions whether to share their information|