ICab Web>UnofficialFAQ>WhatAreCookies (12 Oct 2005, SmokeyArdisson)EditAttach

What are cookies?

A cookie (short for HTTP magic cookie) is a piece of data stored on your computer (in your Web browser) by a Web site. The nature of magic cookies is such that the data means nothing to your computer – it is only meaningful to the site that created it. Each time you access a page on the site that gave you the cookie, the browser tells the site what data is stored in all cookies belonging to that site. This allows the site to keep track of your visit and details relating to you and your activities across pages, something very hard to do otherwise given the nature of the Web.

There are various reasons to store information on your machine. First and foremost, to keep track of log-ins. It is the normal (and presumably the best?) approach to keep track of your session at a site once you log in, for example using Web-based mail such as Hotmail or making a visit to a forum or online store. This is because HTTP itself (the system on which the Web runs) does not provide any means to connect two page accesses together as being the same person, and IP addresses are far from reliable (think NAT and proxies/firewalls). By having the browser pass cookie data to the site with each page request, the site is kept informed of who is accessing the pages and this maintains your log-in and lets you store items in a shopping cart. Otherwise, the site would forget who you are and you'd not be able to view personalised pages such as your e-mail.

Such cookies are generally discarded once you quit the browser. In general, cookies are stored on your machine either until you quit the browser, or until the expiry date set in the cookie.

Cookies are also used to store your log-in and personal details for future visits, enabling the site to remember you. Your username and password may be typed out for you, or you may not need to log in at all (as the cookies held on your machine tell the site who you are), and it allows for extremely easy customisation of sites (custom colours, layout, etc).

In an ideal world, cookies would be a perfectly good solution to the limitations of the Web for building and running Web-based software such as Web-based mail and fora.

Privacy and security issues

However, as you can imagine, this power also allows for nefarious and dubious activities. Cookies can be created by JavaScript, which allows for sites to involve third parties in the creation of cookies (by way of scripts included from other sites). Cookies are in fact send and received with every single HTTP request, such as for every image, Flash movie or sound on a page. Such images are also often provided by third parties to the site in question. This allows advertising and statistics companies to track your movement right across the Web, on any site that uses tracking JavaScript or images from these companies. Many people feel this to be an invasion of privacy, and disable support for cookies in the browser altogether.

The presence of the Filter Manager in iCab allows for cookies to be turned off for sites in general but allowed for invidual sites where cookies are required for the site to work, such as cookies that support site log-ins. iCab also allows for you to only enable cookies flagged to expire at the end of the session, which are generally safe as they will not be able to be used to track you for very long.

There are also a variety of means to steal your cookies from malicious use of vulnerabilities in sites, and social engineering techniques to get you to access malicious Web addresses. This allows attackers to access personal information and to take over active log-in credentials. This principle of exploits in general is known as cross-site scripting or XSS (so as to not confuse it with Cascading Style Sheets or Content Scrambling System).

Anatomy of a cookie

According to Netscape's cookie specification, a cookie contains one required element and a set of optional elements. The one required element is its name and value (the data), for example USERNAME=FredBloggs. By itself, this tells the browser to associate the cookie with the current site (which sent the cookie) and have it expire when the browser is closed.

Cookies can also contain:

An expiry date which tells the browser when to stop using and discard the cookie;
Which domain name (or subdomain) the cookie is to be used with (defaults to the current site);
The path on the site in which the cookie is to be used (defaults to the whole site, /);
A flag to set whether the cookie is to only be sent in secure (HTTPS) connections

What are cookies?

Privacy and security issues

Anatomy of a cookie

See also: