View and vote on the article here: Feature: What the hell is a Cookie ?
Feature: What the hell is a Cookie ?| Category | | | Summary | | In addition to being a favorite snack for millions, a "cookie" is a computer science term for a piece of data held by an intermediary, and used to describe a small text file sent by a server which is then stored on the user's computer. In theor |
| | Body | Lou Montulli, a former employee of Netscape Communications, wrote the cookie specification for Navigator 1.0, which was the first browser to use this technology. At that time, certain data limits were suggested:
* 300 total cookies for the entire browser.
* 4K per cookie, (4096 bytes). including the identifing name as well as the data.
* 20 cookies per server or domain.
While these specifications are generally being followed today, some browsers allow much more data to be stored.
Cookies were originally intended to work without the user's notice or consent, and benefit the user by storing such things as user IDs, passwords, preferences and settings, as well as billing and shipping information for purchases. By saving this data, a user could avoid filling out the same form information on the same site every time. An online vendor could read the user's cookie and match it to a stored profile, which would authenticate the user and enable the use of a shopping cart for products during a session.
Websites could also benefit by tracing user activity to determine use patterns that allow site improvement. A webmaster can determine:
* How many visitors arrive.
* How many are new vs. repeat visitors.
* How often a visitor has visited.
* Which pages are accessed.
How cookies work
A cookie may be set by a server via a script, such as CGI or JavaScript, running in a web browser. It is simply a piece of data. It is not a program and cannot do anything except return the data it contains.
In the first stage of a cookie transaction, the data is stored as name-value pairs. For example, a website might generate a unique ID number for each visitor and store the ID number on a cookie. This cookie can contain any information the server chooses - this introduces "state" into an otherwise "stateless" HTTP transaction.
During the second stage, the cookie is read from the user's machine by a server. Whenever a browser displays a certain webpage from the server, the browser will transmit the data from the cookie to the Web server. If a cookie is marked secure, it will only be transmitted if the communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels.
Identification
Cookie information can be used during the first session and it often stays on the user's computer for later use. The cookie setter can specify an expiration date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits their browser. A user may also delete the cookie at any time. A path may also be specified so that the site can associate different cookie values with different parts of the site.
Cookies do not identify a person, but a combination of a computer and a browser. If more than one browser is used on a computer, each one has its own storage area for cookies. A single user who uses multiple browsers or computers will have a distinct set of cookies for each computer/browser combination. If several users share the same computer/browser they will use the same set of cookies unless they use different user accounts.
Permissions
Most browsers allow some form of cookie control, and there are several applications that can alter things such as expiration dates or data to prevent malicious use of user information while allowing useful functions by trusted sites.
How to see your cookie code
Just click on a cookie to open it. You'll see a short string of text and numbers. The numbers are your unique data. For example, if you visit dotcom.com, and the site has placed a cookie, the file contains the following information:
UserID INF123ONU4VISITS www.dotcom.com/
In this example dotcom.com has stored a single name-value pair. The name of the pair is UserID, and the value is INF123ONU4VISITS. A cookie can store several name-value pairs.
Opposition to Cookies: Privacy and Anonymity
Internet privacy advocates have quite a number of concerns about cookies. A user's IP address, browser type, previously visited page, and sometimes even their location and name are already available through scripting. That's only part of the problem.
If you've been surfing the Net, chances are you'll get a cookie from someone like "doubleclick.net" without actually visiting their site. How did you get a cookie if they are only supposed to be placed and accessed by a site you visit? What happened was that you visited a site that "subscribes" to the doubleclick service, and that site put a "cookie request" on their home page for the doubleclick cookie. If you already have one, the site sends your ID and any available information it has, including the site you visited before that one, to doubleclick. If you dont have the cookie it places one, allowing you to be tracked from that point on.
Some sites contain images called web bugs (generally one pixel in size, and clear, so they are not visible) that place cookies on all computers that access them.
Information trackers are currently using cookies to develop detailed profiles of users and their browsing and buying habits. Each click on a particular type of advertisement or page in a website is added to the profile maintained by the trackers.
These profiles may be sold and resold to other commercial interests leading to further invasions of personal privacy. If any one of the trackers links a user identity to a cookie ID, that information could also be resold.
While this might seem unimportant, there are more serious concerns. In addition to extensive information on personal interests, individuals who visit controversial sites for information on abortion, birth control, capital punishment, mental or physical illness, gun control or even religion might find themselves subjected to harassment by individuals or special-interest groups.
Anyone who utilizes search engines that use cookies may be tracked in this manner. Both Infoseek and Lycos Inc. have the stated aim of creating a tracking system which would build highly detailed profiles of user search patterns. By matching the cookie identification with a user profile, the user's past search history can be accessed.
If these records are sold to, or accessed by entities such as employers, insurance companies, law enforcement or government, there is the possibility of serious privacy invasion and harm caused by inaccurate or misleading information.
Cookies and Advertising
With the increased commercialization of the Net, it was inevitable that cookies would be used for advertising. Since cookies can be matched to the profile of a user's interests and browsing habits, they are a natural tool for targeting advertisements to individual users. Marketers (such as doubleclick Inc.) began to utilize cookies to target users with rotating banner ads that placed cookies from large numbers of advertisers on many websites. Meanwhile the average user may not always realize that the cookie is coming from an advertiser rather than the website itself.
Given the size of the revenues involved, it is not surprising that advertisers object to proposed legislation that would limit the use of cookies. RFC 2109 was a proposal for guidelines on cookie use by websites. One item of particular concern to advertisers was Point 7.1, which states: "An origin server could create a Set-Cookie header to track the path of a user through the server. Users may object to this behavior as an intrusive accumulation of information, even if their identity is not evident... This state management specification therefore requires that a user agent give the user control over such a possible intrusion..." (RFC 2109.7.1)
Advertisers' objections to this were based on no longer being able to track users through multiple websites served with banner advertising that originates from a single company. RFC 2109 was not supported as written, but browser designers began including options for users to reject cookies if they chose to, although the browser default would still be to accept cookies,
Poisoning and theft
Having data contained in cookies accessed by servers that didn't set them is undesirable for the user, especially when the cookie data contains personal information. This ability is a valuable undertaking for an attacker and cross site scripting is the tool of choice to achieve this goal. Among cross site scripting attacks, cookie theft and cookie poisoning present serious security threats to the user:
* cookie theft: A user's cookie is accessed by the attacker's website. The attacker can then use the cookie information for session hijacking of the user's account on a trusted website. For example, your online bank account could be accessed by an attacker using your cookie data.
* cookie poisoning: The attacker can inject code to modify cookie content, thus widening the scope of the attack.
The Future of Cookies
Cookies have aroused a great deal of controversy from the start. Media coverage has been largely negative, and given the increasing useability of browser options and add-on applications to disable or remove them, cookies may well become obsolete. A number of solutions have been proposed, such as session identifiers which use unique query strings appended to URLs that permit the server to match a session with a user without the use of cookies.
As more users become aware of the privacy and security issues surrounding cookies, it is hoped the reaction to the companies that misuse them will bring about appropriate change and legislation will likely follow.
How to find and control your cookies
Cookies are saved to a simple text file that you can delete as you please. In order to do this properly, remember to close your browser first. This is because all your cookies are held in memory until you close your browser. So, if you delete the file with your browser open, it will make a new file when you close it, and your cookies will be back.
Remember that deleting your cookie file entirely will cause you to "start from scratch" with every web site you usually visit, so it may be preferable to remove only the cookies you don't want. I have included some legacyware here, so if you want to surf nostalgically you can do it a bit safer.
In Mozilla Firefox:
Tools Options Privacy
(Note: On Linux this may appear as Edit Preferences Privacy, on the Mac as Firefox Preferences Privacy)
* Set options under Cookies
1. Exceptions allows per domain settings of block/allow.
2. View Cookies opens a cookie management window, showing details of stored cookies, allowing them to be deleted or blocked.
3. You can choose not to accept cookies from sites you have deleted cookies from.
There are extensions such as Cookie Culler to extend your options for cookie management.
Be sure to check to see if sites are setting cookies in your Windows cookie files even though you use Firefox.
In Netscape:
To view cookies and preferences if you're using Netscape 4.0 through 6.0:
On your Task Bar, click:
1. Edit, then
2. Preferences
3. Click on Advanced
4. Click on Cookies
5. Set your options in the box that says Cookie.txt
In Internet Explorer:
To See Cookies:
If you're using Internet Explorer 5.0 or 6.0:
1. Choose Tools, then
2. Internet Options
3. Click the General tab
4. Click Settings
5. View Files
Also, if you're using Internet Explorer 6.0:
1. Choose Tools, then
2. Internet Options
3. Click the Privacy Tab
4. Click on Custom Level
5. Click on the 'Advanced' button
6. Check the 'override automatic cookie handing' box and select Accept, Block or Prompt for action as you feel appropriate.
Also, if you are using 5.0 or 5.5:
1. Choose Tools, then
2. Internet Options
3. Click the Security tab
4. Click on Custom Level
5. Scroll down to the sixth option and change to Accept, Disable, or Prompt for cookies as you feel appropriate.
If you're using Internet Explorer 4.0:
1. View, then
2. Internet Options
3. Under the tab General (the default tab) click
4. Settings
5. View Files
Also, click:
1. View, then
2. Internet Options
3. Click the Advanced tab
4. Scroll down to the yellow exclamation icon under Security and choose one of the three options to regulate cookies.
If you're using Internet Explorer 3.0:
1. View
2. Options
3. Advanced
4. View Files
Also click:
1. View
2. Options
3. Advanced
4. Click on the button that says Warn before Accepting Cookies.
In Apple Safari:
Safari Preferences Security Tab
* Select one of the following options:
1. Always accept cookies
2. Never accept cookies
3. Accept cookies only from sites you navigate to (This eliminates advertisers on those sites) Selected by default. You may also view every cookie that is in your browser and delete any you wish.
|
|
This article was imported from zZine. (original author: 1746)
There are no replies to this post yet.
|