Mmm... Cookies

Chris Grant | 1998-07-03

It had to happen sooner or later. At some point one of us had to write an article about cookies. Since I am going to add some code that uses cookies into our web site in the next week or two I guess the task has fallen upon me.

There seems to be a great deal of hysteria about cookies. People seem to think that cookies will allow the bad guys to do anything ranging from reading assorted files on your hard drive to extracting your MasterCard number from that book order you submitted to amazon.com. Hopefully this article will help clear up the confusion somewhat.

First the basics: What is a cookie?

A cookie is a small amount of data that is stored on your local system by your web browser at the request of a web server. The next time you visit that web server, the cookie is sent back. No stolen files, no credit card numbers. It's as simple as that.

Now that that is clarified, next we come to the why of it all. Netscape initially developed cookies because web site designers were frustrated with the lack of statefulness in the World-Wide Web. The only real way web site designers could customize a web site to an individual visitor was by asking them to log in to an initial page to identify themselves and then carry this information forward for the duration of the visit through kludgey HTML forms and CGI scripts. One of the main problems with this approach is that people are typically a little reticent to pass on information to an unknown web server; all they may want to do is view a particular page that sounds interesting. Also, a logon page interrupts the flow, usability and design of the web site. Finally, because CGI was involved, this approach involved a lot of programming and maintenance overhead to accomplish a seemingly simple task. The solution, as Netscape saw it, was to build a simple mechanism that allowed for state maintenance. This of course was the cookie.

The Guts Of A Cookie

The cookie's actual implementation is dependent on the browser. The two primary sources of information on how cookies work are Netscape's initial cookie specification and RFC 2109. Each browser can implement (or not implement) cookies however they choose, but as a rule Netscape's implementation is considered the standard and in this document I will be discussing the Netscape cookie.

A cookie consists of a name, a value, an expiry date, a domain, a path, and a security flag. The size of the cookie is usually limited to around 4KB and the number of cookies a particular domain can set is usually limited to around twenty. This is to ensure that a web server can't indiscriminately fill up your hard drive with useless information. A typical cookie file entry might look something like this:

.doubleclick.net TRUE / FALSE 1920499140 id 37ed09a6

The name is a handle to the cookie so that it can be referenced and updated later. The value of a cookie is the actual contents of the cookie. This is where a web designer can save things like the last time you visited their site. The expiry date tells the web browser how long to keep the cookie's information. If no value is specified then the cookie is disposed of as soon as the browser is closed. The domain and path properties specify for which domains and which paths this cookie is valid. As an example, I can set a cookie on the domain www.codetalker.com/advisories, which would only be accessible to our web server if you happen to be in the advisories section of the our site, or I can set a cookie on the domain .codetalker.com, which would be accessible to any machine in the codetalker domain (e.g. both www.codetalker.com and internal.codetalker.com). Finally, if the security flag is set this means that the browser will only transmit the cookie over a secure channel such as HTTPS.

So what's all the hubbub about?

My question exactly. I think there are three primary constituents to this strange fear. First, cookies allow web servers to store information on your computer. This just sounds like a bad idea. Second, cookies detract somewhat from the browser's false sense of anonymity. As with most activities on the Internet, people like to think they are invisible. Third, and in my view, most importantly, cookies have a friendly name. I truly believe that if Netscape had initially decided to call cookies “Persistent Client State Mechanisms,” which would invariably be shortened to PCSM, not nearly the same amount of hysteria would have developed. PCSMs would have been lost in a sea of other acronyms, and quickly forgotten.

Without any other information available, I can completely understand the misgivings people may have. Of course this fear is quickly quelled by simply reading up on what a cookie is, and playing with them for a while. Again, I would encourage you to read the specs and browse through sites such as Cookie Central.

References

What about privacy issues?

Good question. Cookies are often used by marketing groups such as DoubleClick to target ads directly to you. What DoubleClick does is have websites embed links for advertising images that link to DoubleClick's web server. In this way DoubleClick can server up the ad of their choice to your browser, and in the process send a cookie to your browser. This cookie will uniquely identify your browser to DoubleClick. Any time you click on a DoubleClick served add, or visit a page that uses DoubleClick's advertising service in the future an anonymous profile is built up based on your browser's cookie. If DoubleClick notices that you (or more specifically, your browser) often visits sites related to Soda Pop, then they may start delivering advertisements to your browser that specifically advertise Coca-Cola. All of this is accomplished through the use of a cookie and extensive network of web pages using DoubleClick's services.

This of course is a privacy issue more than a technical computer security issue, and is very similar to the problems people have with direct marketers purchasing magazine subscription lists, or performing phone surveys. The problem is that people are gathering information about your browsing habits and building profiles about you without your knowledge. This becomes even more serious if someone decided to link personal data to your cookie.

For instance, Microsoft's support site links your browser's cookie to their database of support clients. You have to register yourself before you can use their site, and if you were to delete your cookie Microsoft's site will ask you to identify yourself before allowing you into the support are. The intent here, of course, is to gather demographic data about support problems, client problems, and customer service issues. In effect you bargain away your anonymity in exchange for free technical support. The real issue isn't that Microsoft is gathering demographic information about you, but rather that they may be gathering this information without your knowledge.

Cookie Tips

One last interesting trick I picked up from Cookie Central is this. If you would like to see the cookies for a particular site without laboriously filtering through your cookies file and you have JavaScript enabled you can do the following. Go to a site that uses cookies. Once you are at this site type JavaScript:alert(document.cookie); in the locator bar. This will list all the cookies that are available to that particular site.

What can I do?

Since cookies are controlled by the browser, you have a fair bit of control over the situation. If you are using Netscape Navigator 4, for example, you have several options. You can allow all cookies, you can only allow cookies that come from the server serving the page you requested. (This eliminates the situation where DoubleClick only serves a single image with a cookie and the rest of the page comes from where you would expect.), or you can deny all cookies. One other option is to ask Navigator to warn you before setting cookies. This sounds great at first, but quickly becomes tiresome. Particularly so when you visit a site like Expedia where a cookie seems to be set at every page. The constant “Do you want to accept this cookie?” dialogs become meaningless.

In addition, I will frequently look through my cookies file manually and look for sites I don't care about. Any lines I don't particularly care about I delete. Again, for the Netscape users in the crowd, this file is located in:

C:\Program Files\Netscape\Users\<User>\cookies.txt

With Internet Explorer under NT, cookies are stored in individual files under:

%SYSTEMROOT%\Profiles\<User>\Cookies\

Feel free to delete whichever ones you choose. You control your own cookies.

To conclude:

  1. Cookies are small bits of data stored by your browser on behalf of some web server.
  2. Cookies do not allow hackers to steal files, sniff passwords, or snatch credit card numbers.
  3. Cookies are only available to the domains that set them.
  4. Cookies can and are used to gather demographic information about your browser.
  5. You can control your cookies. You can deny all, delete them at will, and even change them if you wish.

Chris Grant

pintday.org » Fresh every Tuesday.