HTTP Cookie

HTTP Cookies are a simple text file which is stored on a user computer from a web site. HTTP cookies are used by the web page server to store information about you so it knows what to display when you visit the web site. HTTP cookies should only be readable by their creator (and therefore should not normally be a security concern), but some software flaws may allow other's to read or modify cookies from another creator. An HTTP cookie is used to keep track of a condition such as when a user puts an item in their shopping cart. Most cookie use is legitimate and very helpful for computer users but it may be abused when software program flaws allow it. The existence and use of HTTP cookies is not hidden from users.

Users can choose whether or not their internet browser program will allow cookies to be stored on it or not. Their settings may allow all cookies or may only allow cookies to be stored from specific trusted sites. Users can also set their browser to notify them when a cookie is placed on their computer and they can choose to reject the cookie or not. If a user has more than one browser type on their computer, each browser has its own storage area for cookies which is separate from other browsers.

HTTP Cookies all have expiration dates associated with them. There are also some cookies called session cookies that are only stored in memory and are used to track a user session with a specific website. When a cookie reaches its expiration date, the browser automatically deletes it.

HTTP cookies store a cookie name and a cookie value on the client computer. The name of the cookie and value are called the name/value pair. Cookies also store an expiration date and may store a path, domain name, and whether the cookie is to be used only for encrypted connections. If the user visits the matching domain name and matching file path on that domain, the cookie is sent back to the webserver.

Cookies can be a security risk if not used properly by web application programmers. Web application programmers should be careful not to store sensitive information in cookies. Cookie information may be compromised using one of the following techniques:

  1. A browser vulnerability may allow an attacker to get all client cookies.
  2. Cookies may be sniffed by an attacker while they are traveling over the internet.
  3. Someone unintended read the cookies while stored in the client computer temporary folder.

There has been a large amount of paranoia about HTTP cookies. If the same amount of paranoia were applied to viruses, spyware, and computer protection and computer education, I would think that the internet would be a much safer place today. Some facts about cookies are:

  1. HTTP cookies are simple text files stored on your computer and cannot modify any other information or programs on your computer.
  2. Cookies cannot change the contents of your hard drive.
  3. Cookies cannot read personal information stored on your computer. Cookies may be used to store information on your computer from a specific web site such as your user ID for any web site you may log into. However so long as programmers do not place confidential information in cookies, cookies are no security risk.
  4. Cookies are not only used for advertisement but are usually used to store user preferences or other information to make it easier for users to use specific web sites.
  5. Cookies can be a minor privacy concern when large companies get code stored on many different websites. The privacy concern would unfold as follows:
    1. User goes to abcd.com website which has some code from bigmarketer.com website.
    2. The code from bigmarketer.com website generates a unique number for their database, and puts it in a cookie which is placed on the user's computer. The bigmarketer website also notes that the request for their code came from abcd.com and puts that information in the cookie also or it may just store the fact that this user had visited abcd.com. (Note the fact that the cookie is from bigmarketer.com and not from abcd.com)
    3. Later the user goes to wxyz.com website which also has code from from the bigmarketer.com website in their webpage.
    4. The code from bigmarketer.com website reads the cookie and notes that the user had been on the abcd.com website earlier. It records the information that the user with the unique number assigned has now been on abcd.com and wxyz.com. It may add a cookie value indicating that the user has been on wxyz.com but probably will just record the information in their database.
    5. Any other sites the user visits that has code from bigmarketer.com will also be noted in the bigmarketer.com database. However, only sites with the bigmarketer.com code will indicate that the user has visited them. Bigmarketer.com will not know what websites the user has visited that do not have their code.
      There are several very important mitigating factors to this privacy concern. First of all, bigmarketer.com never knows the name or address of the person who they are recording information about site visits on. They only know that some user with an ID they assigned has visited certain sites they are associated with. Also the user can at any time clear their cookie from bigmarketer.com and the next site they visit associated with bigmarketer.com would cause them to get a different ID from bigmarketer.com which would start the process over. Bigmarketer.com would have no way to know that the user was the same the second time around.