Definition of Cookies
Cookies are small packets of text data sent by the server to the web browser when the client visits a site for the first time. These text files are stored locally on the client's browser. On subsequent visits to the website, the cookie is sent along with the HTTP request to the server. The text file includes the ID of the cookie, the domain of the website, the lifetime of use, and a security specification. Let's examine each of these components in more depth.
The ID is a unique sequence of letters and numbers, randomly generated by the server, to uniquely identify the browser to the server in the future. IDs are really useful in that they enable you to stay "logged in" to particular websites.
The domain establishes which webpages are relevant to the cookie. If the browser visits one of the specified websites, it will send the cookie to the server. Otherwise, it won't.
The lifetime attribute, also known as MaxAge or the Expiration Date, establishes the period of time when the cookie is valid. At the end of that time period, the cookie expires and should be deleted. Some cookies have longer lifetimes than others, as we'll discuss below.
The last attribute--the security requirement--establishes how the cookie should be accessed. Some cookies should only be accessible through formal HTTP requests. Other cookies can safely be accessed via Javascript code. It really depends on what the cookie is being used for. Your banking website, for example, is likely to be wary of unfriendly Javascript, and so it might insulate its cookies from all Javascript accesses.
The ID is a unique sequence of letters and numbers, randomly generated by the server, to uniquely identify the browser to the server in the future. IDs are really useful in that they enable you to stay "logged in" to particular websites.
The domain establishes which webpages are relevant to the cookie. If the browser visits one of the specified websites, it will send the cookie to the server. Otherwise, it won't.
The lifetime attribute, also known as MaxAge or the Expiration Date, establishes the period of time when the cookie is valid. At the end of that time period, the cookie expires and should be deleted. Some cookies have longer lifetimes than others, as we'll discuss below.
The last attribute--the security requirement--establishes how the cookie should be accessed. Some cookies should only be accessible through formal HTTP requests. Other cookies can safely be accessed via Javascript code. It really depends on what the cookie is being used for. Your banking website, for example, is likely to be wary of unfriendly Javascript, and so it might insulate its cookies from all Javascript accesses.
Types of Cookies
We can divide the world of cookies into two categories: session cookies and persistent cookies. Session cookies exist for as long as the user is browsing a particular website. These are usually deleted when the browser closes. Persistent cookies, on the other hand, can exist longer, sometimes indefinitely, unless the user manually deletes them. These cookies track browsing history over time and send information back to the server. Because they log so much data, persistent cookies are also called tracking cookies.
We can also divide the world of cookies into secure cookies and HttpOnly cookies. Secure cookies are only accessible through Https. Data is encrypted during transmission and is more secure. HttpOnly cookies are used only in Http or Https requests, and cannot be accessed through Javascript. This style prevents certain classes of security attacks, like cross-site scripting. Both of these types of cookies are supported on all major modern browsers.
Another category of cookies is third-party cookies. Third-party cookies are usually dropped by some entity other than the web page that you're visiting. A cookie might be dropped, for example, by one of the advertisements on a particular website. The advertiser might then use this cookie to monitor your browsing habits, in the hope of sending you more effective, personalized ads in the future. Since there are no restrictions on the number of third-party cookies that can be dropped onto a browser, third-party cookies are increasing in popularity as a way for advertisers to gather information about consumers.
We can also divide the world of cookies into secure cookies and HttpOnly cookies. Secure cookies are only accessible through Https. Data is encrypted during transmission and is more secure. HttpOnly cookies are used only in Http or Https requests, and cannot be accessed through Javascript. This style prevents certain classes of security attacks, like cross-site scripting. Both of these types of cookies are supported on all major modern browsers.
Another category of cookies is third-party cookies. Third-party cookies are usually dropped by some entity other than the web page that you're visiting. A cookie might be dropped, for example, by one of the advertisements on a particular website. The advertiser might then use this cookie to monitor your browsing habits, in the hope of sending you more effective, personalized ads in the future. Since there are no restrictions on the number of third-party cookies that can be dropped onto a browser, third-party cookies are increasing in popularity as a way for advertisers to gather information about consumers.
Uses of Cookies
Cookies aren't just for shopping carts anymore. They serve as session managers and customize settings on behalf of particular users. When a user logs onto a website, the server sends a cookie to the user with a unique token identifying the session in progress. If the user closes that site's tab and returns later, the cookie will be sent back to the server, allowing the user to bypass the login process. In this way, cookies make life easier for the user.
Cookies can also save information about users' browsing behavior, which can help to personalize the user's experience. Amazon uses persistent cookies to track customers' favored products on its site. This gets translated into specific advertisements that correspond to the customers' interests. The user can skip the tedious process of searching for relevant products and go straight to analyzing potential purchases. These experience-customization cookies have plenty of applications. Google uses these cookies, for example, to sort its search results differently for different users.
Cookies can also save information about users' browsing behavior, which can help to personalize the user's experience. Amazon uses persistent cookies to track customers' favored products on its site. This gets translated into specific advertisements that correspond to the customers' interests. The user can skip the tedious process of searching for relevant products and go straight to analyzing potential purchases. These experience-customization cookies have plenty of applications. Google uses these cookies, for example, to sort its search results differently for different users.
Dangers of Cookies
One danger of cookies is that they can be hijacked by malicious attackers. One way in which this can happen is the man-in-the-middle attack, which consists of an attacker eavesdropping on a communication channel between a server and a user. The attacker can intercept a cookie sent to the client and respond to the server with a false request along with the cookie. Since cookies are used to verify the user's identify, the server will interpret the fake request as legitimate. If a user visiting a banking website fell victim to his attack, then an attacker could send requests along with the intercepted cookie to extract money from the user's account. Since there is no information stored regarding the attacker's location, only the user's location, the hijacker is almost impossible to track down. Nowadays, this attack is mitigated through the application of HTTPS protocols. Banks in particular will send and receive requests only through secure SSL connections that send data in encrypted form.
Another form of attack is the cross-site scripting attack. In a cross-site scripting attack, an attacker uses malicious Javascript to change the domain of cookies stored on the user's side. When the user reloads or sends out another request, the cookies are sent to the new domain set by the Javascript code. In this way, attackers receive the user's cookies, which can be used to access various websites under the stolen identity. Cross-site scripting remains a huge threat even today, and web administrators must constantly be aware of what code snippets are malicious and what snippets are innocuous. This threat can be prevented through utilization of HttpOnly cookies, which do not allow for scripting access to cookie values.
Drawbacks of Cookies
Beyond the security dangers of cookies, there are several other drawbacks associated with their use. One common concern is the cookie's inability to discern between different web browsers and sessions on the same computer. For example, if a user runs both Firefox and Chrome, and accesses Gmail on both, the two browsers will store separate sets of cookies for the current session. If the user logs out on one browser, the other browser session is not affected, which may not be the result desired by the user.
Another pitfall of cookie usage is the lack of state verification on each action of the user. In the example of the shopping cart, if the user presses the backbutton after clicking "add to cart" on an item, the cookie may not register a change to the cart as no request was sent to the server. However, the customer may have thought that this action removed the item from the cart, leading to inaccurate information storage.
Another pitfall of cookie usage is the lack of state verification on each action of the user. In the example of the shopping cart, if the user presses the backbutton after clicking "add to cart" on an item, the cookie may not register a change to the cart as no request was sent to the server. However, the customer may have thought that this action removed the item from the cart, leading to inaccurate information storage.
References
"HTTP State Management Mechanism – Overview". IETF. April 2011.
Penenberg, Adam; Cookie Monsters, Slate, November 7, 2005. "Cookies are not software. They can't be programmed, can't carry viruses, and can't unleash malware to go wilding through your hard drive."
Peng, Weihong; Cisna, Jennifer (2000). "HTTP cookies - a promising technology". Proquest. Online Information Review. Retrieved 29 March 2013.
Kristol, David; HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology, 1(2), 151–198, 2001 doi:10.1145/502152.502153
Mayer, Jonathan. "Tracking the Trackers: Microsoft Advertising". The Center for Internet and Society. Retrieved 28 September 2011.
Photo: http://upload.wikimedia.org/wikipedia/commons/5/50/Third_party_cookie.svg
Photo: http://upload.wikimedia.org/wikipedia/commons/e/e5/Cookie-sniffing.svg
Photo: http://upload.wikimedia.org/wikipedia/commons/7/7a/Cookie-theft.svg
Penenberg, Adam; Cookie Monsters, Slate, November 7, 2005. "Cookies are not software. They can't be programmed, can't carry viruses, and can't unleash malware to go wilding through your hard drive."
Peng, Weihong; Cisna, Jennifer (2000). "HTTP cookies - a promising technology". Proquest. Online Information Review. Retrieved 29 March 2013.
Kristol, David; HTTP Cookies: Standards, privacy, and politics, ACM Transactions on Internet Technology, 1(2), 151–198, 2001 doi:10.1145/502152.502153
Mayer, Jonathan. "Tracking the Trackers: Microsoft Advertising". The Center for Internet and Society. Retrieved 28 September 2011.
Photo: http://upload.wikimedia.org/wikipedia/commons/5/50/Third_party_cookie.svg
Photo: http://upload.wikimedia.org/wikipedia/commons/e/e5/Cookie-sniffing.svg
Photo: http://upload.wikimedia.org/wikipedia/commons/7/7a/Cookie-theft.svg