|
Contents.
Overview.
In the context of the World Wide Web a cookie is simply a short bit of text passed back and forth between a web browser (the software used to view web pages) and the web server (the software used to 'publish' the pages on the web).
The most common use of cookies is to identify a visitor to a web site.
In this case the text sent back and forth between browser and server is often simply a code that uniquely identifies that visitor. This allows the site to be tailored to each visitor.
Other common uses for cookies include
- Tracking visitors to web sites.
- Temporarily storing data while filling in a form over more than one web page.
- Tailoring Advertising to individuals.
Used properly cookies provide a useful tool which allow web sites to be tailored to individual visitors and can be used as the basis of sophisticated marketing tools.
When abused, however, cookies raise mild security and strong privacy concerns.
How cookies work.
When you click a link or enter a web address in your browser it sends a request to a web server. This request asks the server to send the specified file to your browser.
If the file describes a web page the browser will try and display it, making further requests to the server for other files, such as images, that are required to display the page properly.
The format of the requests and responses between browser and server are specified by a standard called the HyperText Transfer Protocol (HTTP) standard.
HTTP requests and responses consist of the request or response (which may include a file) and an 'HTTP header'.
The HTTP header contains information that facilitates the transfer of data between the browser and server and vice-versa.
The web server treats each request independantly. It does not associate them with a specific browser, computer, user or web site. In fact, web servers are pretty dumb - which is why they tend to be reliable. It's up to the web site to provide the intelligence.
A web site is simply a collection of related files available from a web server.
These files can be stored on the web server's.hard-drive (static pages), generated 'on-the-fly' by programs running on the web server (dynamic pages) or be a combination of both dynamic and static pages.
The creater of the site can set it up to add one or more 'cookies' to the responses from the web server.
A cookie consits of an expiry date, some other details and a piece of text.
This text can be anything the web site creator wants, often an ID number or user preferences, but it must be fairly short.
As well as the requested file the server sends the cookie, hidden in the 'headers' of the page it returns. When the browser sees the cookie it stores it on your hard drive, noting details such as expiry date and the server that sent the cookie.
Every time the browser makes a request to a server the browser adds the text from all cookies that originated on that server to it's request for a page before sending the request to the server.
The web server then sees the cookie data in the request and makes the text in the cookie available to the programs that generate the web site.
These programs can be set up to act on the text in whatever way the site creator wants.
Security and Privacy Concerns.
There are a number of security and privacy concerns with cookies.
Firstly; cookies are transmitted over the Internet as plain text using the HypertText Transfer Protocol (HTTP).
This means anyone eavesdropping on the information flow between the browser and the server can get hold of the information in the cookie.
Good web site design should mean that any sensitive information in a cookie is useless to prying eyes but I've actually seen sites storing credit card numbers using cookies. Even careful web site design cannot hide details such as the expiry date, originating server etc.
This problem is completely avoided when the server is a 'secure' server as all information sent between a secure server and a browser is encrypted - including cookies. Cookies can be set to be 'secure' - in which case the browser will only send the cookie to a secure server.
Even on a secure server it is sometimes possible for one web site to 'hijack' a cookie from another web site running on the same web server.
However, this requires a high level of ineptitude on the part of the server's administrator and the site designer and is therefore rare, especially on secure servers. Secondly; the cookie is stored on your hard drive until it expires (and maybe even longer depending on how good your browser is at cleaning up after itself).
As cookies are 'plain text' they pose no threat in themselves. They cannot carry viruses or do any harm.
They are stored in plain text though so anyone who has access to them can get the information from them. Again good web site design should mean that the contents are of no use to a snoop.
Of course, the details such as the originating web server and date will be available to such a sneak and the only way to guard against this is use an operating system that allows 'you-and-only-you' to access your files and make sure wherever your browser stores it's cookies is suitably protected. You could of course encrypt the appropriate file or folder if your operating system permits 'on-the-fly' encryption. Thirdly is the spam factor.
Lots of online advertising schemes use cookies to track visitors between hundreds of participating web sites. This allows them to vary the adverts that person sees from site to site but also lets them build up a profile of that person as they surf the web; sites you visit, adverts you click and so on.
Often this is quasi-anonymous - they don't know who you are but they know what you like - but there is no technical reason why such a profile could not be associated with your real-world identity. Generally these schemes are not standardised or sophisticated enough to feed back profile information to the individual web sites, but that day is coming.
Like e-mail cookies can be a marvelous marketing tool when used responsibly and ethically. We can but hope. Thankfully, any browser worth it's salt will let you choose which cookies to accept.
Managing Cookies.
All good browsers help you manage cookies sent to you. They should at least let you choose which cookies to accept or reject and allow you to examine and delete your cookies. Most browsers offer an 'accept all' and 'reject all' setting and an 'ask me' setting that allows you to choose whether to accept any cookie that is sent to your browser.
Which cookies you accept and reject is entirely up to you. Many useful and benign sites (like this one) require cookies to be accepted in order to function properly and the security threat from malicious sites is negligable so long as you understand the limitations of cookies.
|