COOKIES

6/5/2004

Cookies are (usually small) text files containing information about a user's interaction with a web site. They are built by browsers in response to a request from a web site and are stored on a user's PC. Cookies have names and contain named variables and associated information. The cookie name; and expiration time (which can be years in the future), variable name; and associated text are all provided by the web site. The cookie contents can be read back at the request of a web site. If a PC has multiple browsers that support cookies (most do) the cookies will probably be separate and distinct even though the major browsers all use the same cookie file format. They all store the cookies in different files.

Cookies may be kept only in memory -- session -- or stored on disk -- persistent. In addition to storing information, cookies also have an expiration time and date that are set by the web site. Cookies can be non-secure -- read and written via http -- or secure -- read and written only via SSL. The security referred to is whether the transmission of data is in plain text, not whether the data is stored in some special way on the server or in the client.

One common use of cookies is storing a user identification that can be used to tailor the presentation of a web site to the desires of a specific user. They are also used to bypass login procedures that might otherwise be required for every site access. They are used to prevent confusion during form completion. There are many other uses.

Since the content of cookies is web site specific and the information contained within the cookies can only be information known to the site, many people feel that cookies are fairly innocuous. Browsers typically will not accept cookies from web pages in the local file system thereby limiting the use of cookies by viruses and other malware. On the other hand, cookie content is usually specific to a PC and a browser, not to a user. This can cause problems with identity confusion if several users share a PC. Windows NT and Unix have provisions to get around this, but they frequently are not configured to do so.

Computers that are used by multiple users, stolen laptops, etc may contain cookies that will allow intentional or inadvertent access to financial data, credit card information, user accounts, etc. Cookies are sometimes largely in plain text. Skimming through them off line looking for information is trivial for anyone with minimal computer skills. There are programs to help in cookie perusal, but they really aren't needed. Some sites encrypt sensitive data they store in cookies. Some don't. Some encryption is very effective. Some isn't. Cookies are subject to various attacks by malicious programs or sites including theft --stealing the contents -- and poisoning --altering the contents.

The use of cookies can be turned on and off in the properties of most browsers. However, many web sites require that cookies be enabled in order to use their services. Turning cookies off is not practical for most users.

Amazon has patent (US6714926) on using browser cookies to store structured information -- whatever that means.

Return To Index Copyright 1994-2002 by Donald Kenney.