Origin (1994)
In 1994, the Mosaic Communications Corporation was updating the Mosaic browser into what would eventually become Netscape Navigator. Netscape engineer Lou Montulli wanted to encourage the growth of budding "e-commerce" sites by providing them with a way to "remember" users across different requests. He came up with a way for the Netscape browser to store session information across multiple HTTP requests by leveraging the existing concept of a "magic cookie", a piece of data passed from the client back to the server.
Cookies could originally only be stored in Netscape's browser and by web developers who followed the specifications described on Netscape's website. Website designers were very excited about this new technology, as it allowed web applications to do things that previously would have been impossible or impractical.
Cookies could originally only be stored in Netscape's browser and by web developers who followed the specifications described on Netscape's website. Website designers were very excited about this new technology, as it allowed web applications to do things that previously would have been impossible or impractical.
David M. Kristol's timeline for HTTP Cookie standardization [1]
Standardization (1994-2000)
The first official standard for cookies (RFC 2109) from the Internet Engineering Task Force (IETF) came several years later. All parties involved in the early web agreed that in order for the web to perform many of the roles people wanted of it, there would need to be some way to maintain user sessions.
A working group headed by David M. Kristol, a researcher at Bell Labs, set out to create a definitive standard for HTTP State Management. Many proposals were put forward, but Netscape's implementation was the most popular at the time and was finally codified as the official IETF standard in 1997.
A working group headed by David M. Kristol, a researcher at Bell Labs, set out to create a definitive standard for HTTP State Management. Many proposals were put forward, but Netscape's implementation was the most popular at the time and was finally codified as the official IETF standard in 1997.
Privacy concerns (1996-Present)
As early as 1996, members of the working group were deeply concerned about the privacy implications of cookies. Third-party-cookies, set and received by sites not directly visited by the user, were identified as a potential threat to user privacy. The first proposed standard explicitly required browsers to reject all third-party-cookies by default. These early attempts by the working group to restrain the scope of these cookies were vehemently opposed by advertising networks, who used third-party-cookies to gain data about customers and send personalized ads.
Eventually the working group came to a deadlock on the issue, with social and political privacy considerations overshadowing the group's chief task of technical standardization. As a compromise to reach consensus on the technical standard, all sections related to restricting third-party cookies were removed from the working standard in 1997.
These constraints were added back in the revised standard RFC 2956 (Section 3.3.6 "Sending Cookies in Unverifiable Transactions") published in 2000, but by that time, all major browsers allowed third-party tracking cookies. To this day, the issue of third-party cookies has not been resolved to the satisfaction of all concerned parties.
Eventually the working group came to a deadlock on the issue, with social and political privacy considerations overshadowing the group's chief task of technical standardization. As a compromise to reach consensus on the technical standard, all sections related to restricting third-party cookies were removed from the working standard in 1997.
These constraints were added back in the revised standard RFC 2956 (Section 3.3.6 "Sending Cookies in Unverifiable Transactions") published in 2000, but by that time, all major browsers allowed third-party tracking cookies. To this day, the issue of third-party cookies has not been resolved to the satisfaction of all concerned parties.
References
The content of this page is drawn almost entirely from an excellent technical, political, and personal account written by David M. Kristol in 2001.
Kristol, David M. "HTTP Cookies: Standards, privacy, and politics." ACM Transactions on Internet Technology (TOIT) 1, no. 2 (2001): 151-198.
As well as a a comprehensive article on cookie privacy published by John Schwartz on cookie privacy published in the New York Times in the same year. This source was originally in print.
Schwartz, John. "Giving the Web a memory cost its users privacy." New York Times 4, no. 01 (2001).
Kristol, David M. "HTTP Cookies: Standards, privacy, and politics." ACM Transactions on Internet Technology (TOIT) 1, no. 2 (2001): 151-198.
As well as a a comprehensive article on cookie privacy published by John Schwartz on cookie privacy published in the New York Times in the same year. This source was originally in print.
Schwartz, John. "Giving the Web a memory cost its users privacy." New York Times 4, no. 01 (2001).