HTTP cookie

A HTTP magic cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server. Lou Montulli, a former employee of Netscape Communications, was the first to apply the cookie technique in web communications.

Contents

1 Purpose 2 Permission 2.1 Microsoft Internet Explorer 2.2 Mozilla Firefox 2.3 Apple Safari 2.4 Konqueror 3 Permanence 4 Identification 5 Opposition to cookies 5.1 Inaccurate identification 5.2 Privacy, anonymity and advertising 6 Cookie theft and poisoning by cross site scripting based attacks 7 Alternatives to Cookies 8 References 9 External links

Purpose

Cookies can contain any arbitrary information the server chooses and are used to introduce state into otherwise stateless HTTP transactions. Absent cookies, each retrieval of a web page (technically, each component of a web page) from a web site is an isolated event, virtually unrelated to all other views of the site's pages. By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views. Typically this is used to authenticate or identify a registered user of a web site as part of their first login process or initial site registration without requiring them to sign in again every time they access that site. Other uses are maintaining a "shopping basket" of goods selected for purchase during a session at a site, site personalisation (presenting different pages to different users), and tracking a particular user's access to a site.

Permission

A browser may or may not allow the use of cookies. The user can usually choose a setting.

Microsoft Internet Explorer

Tools > Internet Options > Privacy Tab

• Use slider to set options, or use advanced options

Mozilla Firefox

Tools > Options > Privacy

(Note: On Linux this may appear as Edit > Preferences > Privacy, on the Mac as Firefox > Preferences > Privacy)

• Set options under Cookies
  • Exceptions allows per domain settings of block/allow
  • View Cookies opens a cookie management window, showing details of stored cookies, allowing them to be deleted or blocked

Apple Safari

Safari > Preferences > Security Tab

• Select one of the following options
  • Always accept cookies
  • Never accept cookies
  • Accept cookies only from sites you navigate to (for example, not from advertisers on those sites) Selected by default.

You may also view every cookie that is currently residing in your browser and delete any of them at will.

Konqueror

• Remember to place the dot in front of the domain name .wikipedia.org otherwise wikipedia will not read the cookie (in KDE 3.3) when unlisted cookies are set to be rejected in Settings.

Permanence

A cookie often stays on the user's computer for use in the next session (though it can be erased by the user in between), but it can also be for use within a session and be erased at the end of the session.

Identification

If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a computer and a web browser. Thus, a single person who uses multiple browsers and/or computers will have a distinct set of cookies for each computer/browser combination. On the other hand, cookies do not differentiate between multiple users who share a computer and browser, unless they use different user accounts.

Opposition to cookies

Some people are opposed to the use of cookies on the Web. Below are some of their reasons.

Inaccurate identification

See above.

Privacy, anonymity and advertising

Cookies also have some important implications with respect to a user's privacy and anonymity on the web. One way is that some companies monitor users' visits to disparate web sites for marketing purposes. Some sites contain images called web bugs (that are transparent and only one pixel in size, so that they are not visible) that place cookies on all computers that access them. E-commerce websites can then read those cookies, find out what websites placed them, and send e-mail spam advertisements for products related to those websites.

Companies that use this system defend it as an effective way to give consumers access to products in which they are likely to be interested. If sites that place these tracking cookies are paid by the commercial operator, the revenue can allow them to place their content online at no cost to the creators.

Sweden has passed legislation concerning cookies, mandating that sites that use them include a statement to that fact, and includes instructions on how the user can avoid them.

Article 5 Paragraph 3 of the 2002 EU telecommunication privacy Directive requires that users are informed of any cookie and have the right to refuse it. However, the December 2004 report of the EU Commission on the implementation of the directive says on page 38 that this provision is generally not implemented and a thorough analysis of the situation in the Member States is justified.

Cookie theft and poisoning by cross site scripting based attacks

Even if cookies are not dangerous per se, they contain information corresponding to a particular context: user, computer, web browser, and above all domain served by the web server from where it originated. Bypassing this context, i.e. having this information "leak" out of this context, is undesirable for the user, especially when the cookie data contains personal information. This bypassing in turn represents a valuable undertaking for an attacker. Cross site scripting is the tool of choice to achieve this goal. Among the threats of cross site scripting attacks, cookie theft and cookie poisoning present a risk to the user, in that they enable a transgression of the context and the trust it carries.

• cookie theft: gathering of the user's cookie, sent to the attacker's website. The attacker can then use the cookie information for session hijacking of the user's account on the trusted/affected website.
• cookie poisoning: bypassing the security mechanism of context based trust, the attacker can inject code resulting in a modification of the cookie content, hence making the attack persistent.

Alternatives to Cookies

Due to the limitations and oppositions to cookies above, there are a few possible alternatives.

• The Brownie project [1] is an open source project at SourceForge. Brownies were to be for sharing across multiple domains, as opposed to cookies that are (supposedly) constrained to a single domain. The project is no longer in development.
• P3P is a protocol designed to give users more control of their personal information, such as cookies, when browsing Internet websites.
• Session variables are unique query strings appended to URLs that permit the server to match a session with a user without the use of cookies.

References

External links

• RFC 2965 HTTP State Management Mechanism — current cookie specification (obsoletes RFC 2109) (IETF)
• Persistent client state - HTTP cookies - Preliminary specification (Netscape)
• Session Fixation (PDF)
• The unofficial cookie faq
• Cookies in JavaScript
• "Can you show me what XSS cookie theft looks like?" (excerpt from the Cgisecurity Cross Site Scripting FAQ)
• CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests : cf. 'Attacks May Be Persistent Through Poisoned Cookies' paragraph
• description of a cookie poisoning attack
• Are Cookies Dangerous An article explaining what cookies are and what to be careful of.
• SurferBeware.com Internet Cookie FAQ — Very comprehensive FAQ for cookies. How they work, their uses, threats to privacy and even Microsoft compliance policies.
• Cookie Central

See also: HTTP cookie, Anonymity, Apple Computer, Cross site scripting, E-commerce, Free On-line Dictionary of Computing, GNU Free Documentation License, HTTP, Internet Engineering Task Force