|
An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server. They were invented by Lou Montulli, a former employee of Netscape Communications.
Purpose
Cookies can contain any arbitrary information the server chooses and are used to maintain state between otherwise stateless HTTP transactions. Typically this is used to authenticate or identify a registered user of a web site as part of their first login process or initial site registration without requiring them to sign in again every time they access that site. Other uses are maintaining a "shopping basket" of goods selected for purchase during a session at a site, site personalisation (presenting different pages to different users), and tracking a particular user's access to a site.
Permission
A browser may or may not allow the use of cookies. The user can usually choose a setting.
Tools > Internet Options > Privacy Tab
- Use slider to set options, or use advanced options
Tools > Options > Privacy
- Set options under Cookies
- Exceptions allows per domain settings of block/allow
- View Cookies opens a cookie management window, showing details of stored cookies, allowing them to be deleted or blocked
Safari > Preferences > Security Tab
- Select one of the following options
- Always accept cookies
- Never accept cookies
- Accept cookies only from sites you navigate to (for example, not from advertisers on those sites) Selected by default.
You may also view every cookie that is currently residing in your browser and delete any of them at will.
Permanence
A cookie often stays on the user's computer for use in the next session (though it can be erased by the user in between), but it can also be for use within a session and be erased at the end of the session.
Identification
If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a computer and a web browser. Thus, a single person who uses multiple browsers and/or computers will have a distinct set of cookies for each computer/browser combination. On the other hand, cookies do not differentiate between multiple users who share a computer and browser, unless they use different user accounts.
Opposition to cookies
Some people are opposed to the use of cookies on the Web. Below are some of their reasons.
Inaccurate identification
See above.
Privacy, anonymity and advertising
Cookies also have some important implications with respect to a user's privacy and anonymity on the web. One way is that some companies monitor users' visits to disparate web sites for marketing purposes. Some sites contain images called web bugs (that are transparent and only one pixel in size, so that they are not visible) that place cookies on all computers that access them. E-commerce websites can then read those cookies, find out what websites placed them, and send e-mail spam advertisements for products related to those websites.
Companies that use this system defend it as an effective way to give consumers access to products in which they are likely to be interested. If sites that place these tracking cookies are paid by the commercial operator, the revenue can allow them to place their content online at no cost to the creators.
Sweden has passed legislation concerning cookies, mandating that sites that use them include a statement to that fact, and includes instructions on how the user can avoid them.
Article 5 Paragraph 3 of the 2002 EU telecommunication privacy Directive (http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett) requires that users are informed of any cookie and have the right to refuse it. However, the December 2004 report (http://europa.eu.int/information_society/topics/ecomm/doc/all_about/implementation_enforcement/annualreports/10threport/sec20041535VOL1en.pdf) of the EU Commission on the implementation of the directive says on page 38 that this provision is generally not implemented and a thorough analysis of the situation in the Member States is justified.
Cookie theft and poisoning by cross site scripting based attacks
Even if cookies are not dangerous per se, they contain information corresponding to a particular context : user, computer, web browser, and above all domain served by the web server from where it originated. Bypassing this context, i.e. having this information 'leak' out of this context is undesirable for the user, especially when the cookie data contains personal information. This bypassing in turn represents a valuable undertaking for an attacker. Cross site scripting is the tool of choice to achieve this goal. Among the threats of cross site scripting attacks, cookie theft and cookie poisoning present a risk to the user, in that they enable a transgression of the context and the trust it carries.
- cookie theft: gathering of the user's cookie, sent to the attacker's website. The attacker can then use the cookie information for session hijacking of the user's account on the trusted/affected website.
- cookie poisoning: bypassing the security mechanism of context based trust, the attacker can inject code resulting in a modification of the cookie content, hence making the attack persistent.
The Future of Cookies
A few alternatives to cookies have been proposed, e.g. The Brownie project (http://sourceforge.net/projects/brownie), an open source project at SourceForge. Brownies were to be for sharing across multiple domains, as opposed to cookies that are (supposedly) constrained to a single domain. The project is no longer in development.
References
External links
| 
