HTTP cookie

From Exampleproblems

An HTTP magic cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server. Lou Montulli, a former employee of Netscape Communications, was the first to apply the cookie technique in web communications.

Contents 1 Purpose 2 Permission 2.1 Microsoft Internet Explorer 2.2 Mozilla Firefox 2.3 iCab Company iCab 2.4 Apple Safari 2.5 KDE Konqueror 2.6 Opera Software Opera 3 Permanence and limits 4 Identification 5 Opposition to cookies 5.1 Inaccurate identification 5.2 Privacy, anonymity and advertising 6 Cookie theft and poisoning by cross-site scripting-based attacks 7 Alternatives to Cookies 8 Technical details 8.1 Authentication 8.2 Personalization 8.3 Basket 8.4 Tracing 9 References 10 External links

Purpose

Cookies can contain any arbitrary information the server chooses and are used to introduce state into otherwise stateless HTTP transactions. Without cookies, each retrieval of a web page (technically, each component of a web page) from a web site is an isolated event, virtually unrelated to all other views of the site's pages. By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views. Typically this is used to authenticate or identify a registered user of a web site as part of their first login process or initial site registration without requiring them to sign in again every time they access that site. Other uses are maintaining a "shopping basket" of goods selected for purchase during a session at a site, site personalization (presenting different pages to different users), and tracking a particular user's access to a site.

A cookie may be set either by a web server via a CGI script or by a script, such as JavaScript, running in a web browser.

Permission

A browser may or may not allow the use of cookies. The user can usually choose a setting.

Microsoft Internet Explorer

Tools > Internet Options > Privacy Tab

• Use slider to set options, or use advanced options

on some though you may have to go to security > custom level > and find cookies

Make sure to block 3rd party cookies without a compact privacy policy.

Mozilla Firefox

The best option is to enable P3P:

Open a new browser window and type about:config into the location box.

1) On the line that says "Filter", type "network.cookie.cookieBehavior" and change the value below to "3".

2) Then type "network.cookie.p3p" and change the values to 0 / afafaaaa for low, 1 / ffffaaaa for medium or 2 / frfradaa for high. (medium is suggested in most cases)

See: Firefox Help - Firefox and Cookies

Alternatively, you can use the Privacy options in (Tools > Options > Privacy)

(Note: On Linux this may appear as Edit > Preferences > Privacy, on the Mac as Firefox > Preferences > Privacy)

• Set options under Cookies
  • Exceptions allows per site settings of block/allow for session/allow
  • View Cookies opens a cookie management window, showing details of stored cookies, allowing them to be deleted or blocked
  • If cookies are allowed, they may be restricted to the originating site only
  • Accepted cookies may be kept until they expire, or until Firefox is closed.

iCab Company iCab

Cookie settings in iCab can be set globally with the preferences or per-wildcard-URL with its Filter Manager. The information below is a touch long but reflects the power of iCab's configuration.

To view existing cookies and set HTTP-based cookie settings, open the Cookie Manager window: Tools > Cookie Manager

From here, you can view and delete cookies and (under Information for selected cookies) cause them to expire at the end of the session. Click Cookie Preferences to open the Cookie preferences.

• Cookies can be:
  • Never accepted
  • Prompted for acceptance
  • Accepted but not used
  • Always accepted
  • Always accepted but only kept until the end of the session (i.e. you quit iCab/shut down the computer)
• Cookies not directly from the sites (servers) you are viewing can be rejected (e.g. third-party activity tracking cookies)
• Cookies that will not remain on the machine (which cannot be used to track your activity over time) can be automatically accepted regardless of the general setting
• Invalid and "Illegal" (in computer terms, not criminal law terms) cookies can be automatically rejected

Clicking Edit Cookies brings up the Cookie Manager window.

Those brave enough to face the Filter Manager can configure cookie settings on a per-wildcard-URL basis. JavaScript-generated cookies can also be blocked globally or per-wildcard-URL in the JavaScript preferences; general cookie settings appear to override JavaScript cookie settings.

Apple Safari

Safari > Preferences > Security Tab

• Select one of the following options
  • Always accept cookies
  • Never accept cookies
  • Accept cookies only from sites you navigate to (for example, not from advertisers on those sites) Selected by default.

You may also view every cookie that is currently residing in your browser and delete any of them at will.

KDE Konqueror

• Remember to place the dot in front of the domain name .wikipedia.org otherwise wikipedia will not read the cookie (in KDE 3.3) when unlisted cookies are set to be rejected in Settings.

Opera Software Opera

Tools > Preferences > Advanced Tab > Cookies

• Decide when to accept 'normal' cookies (sent by the Web page you are viewing) and 'third party' cookies (sent by other companies, typically advertisers or Web site analytics companies)
• Manage your cookies with the Server Manager, to delete or set preferences for individual servers

Permanence and limits

A cookie often stays on the user's computer for use in the next session (though it can be erased by the user in between), but it can also be for use within a session and be erased at the end of the session.

In Netscape's original specification, certain data limits were suggested, and these limits are often still followed today:

• 300 total cookies for the entire browser
• 4 kilobytes per cookie, (4096 bytes). This included the cookie identifing name as well as the data for that cookie.
• 20 cookies per server or domain.

Some browsers allow much more data to be stored than the above limits.

The cookie setter can either specify a date, (in a "Wdy, DD-Mon-YYYY HH:MM:SS GMT" format), in which case the cookie will be removed on that date or when one of the three mentioned limits is reached. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser.

Identification

If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a computer and a web browser. Thus, a single person who uses multiple browsers and/or computers will have a distinct set of cookies for each computer/browser combination. On the other hand, cookies do not differentiate between multiple users who share a computer and browser, unless they use different user accounts.

Opposition to cookies

Some people are opposed to the use of cookies on the Web, often because of privacy concerns. Below are some of their reasons.

Inaccurate identification

See the Identification section above.

Privacy, anonymity and advertising

Cookies also have some important implications with respect to a user's privacy and anonymity on the web. One way is that some companies monitor users' visits to disparate web sites for marketing purposes. Some sites contain images called web bugs (that are transparent and only one pixel in size, so that they are not visible) that place cookies on all computers that access them. A single source could have bugs on multiple sites, potentially tracking and correlating a user's activity on across multiple sites, assuming the other sites co-operated by placing the appropriate code into their own site.

Sweden has passed legislation concerning cookies, mandating that sites that use them include a statement to that fact, and includes instructions on how the user can avoid them.

Article 5 Paragraph 3 of the 2002 EU telecommunication privacy Directive requires that users are informed of any cookie and have the right to refuse it. However, the December 2004 report of the EU Commission on the implementation of the directive says on page 38 that this provision is generally not implemented and a thorough analysis of the situation in the Member States is justified.

The Swedish Wikipedia has a page concerning both rules at http://sv.wikipedia.org/wiki/Wikipedia:Cookies

Cookie theft and poisoning by cross-site scripting-based attacks

Even if cookies are not dangerous per se, they contain information corresponding to a particular context: user, computer, web browser, and above all domain served by the web server from where it originated. Bypassing this context, i.e. having this information "leak" out of this context, is undesirable for the user, especially when the cookie data contains personal information. This bypassing in turn represents a valuable undertaking for an attacker. Cross site scripting is the tool of choice to achieve this goal. Among the threats of cross site scripting attacks, cookie theft and cookie poisoning present a risk to the user, in that they enable a transgression of the context and the trust it carries.

• cookie theft: gathering of the user's cookie, sent to the attacker's website. The attacker can then use the cookie information for session hijacking of the user's account on the trusted/affected website.
• cookie poisoning: bypassing the security mechanism of context based trust, the attacker can inject code resulting in a modification of the cookie content, hence making the attack persistent.

Alternatives to Cookies

Due to the limitations and oppositions to cookies above, there are a few possible alternatives.

• The Brownie project [1] is an open source project at SourceForge. Brownies were to be for sharing across multiple domains, as opposed to cookies that are (supposedly) constrained to a single domain. The project is no longer in development.
• P3P is a protocol designed to give users more control of their personal information, such as cookies, when browsing Internet websites.
• Session identifiers are unique query strings appended to URLs that permit the server to match a session with a user without the use of cookies.

Technical details

Transfer of Web pages follows the HyperText Transfer Protocol. Regardless of cookies, browsers request a page from web servers by sending them a short text called HTTP request; a request may look like:

	GET http://www.w3.org/index.html HTTP/1.1 Accept: */*
browser	⇒	server

The server replies by sending the requested page preceeded by a similar packet of text, called HTTP header. This packet may contain lines requesting the browser to store cookies:

	HTTP/1.1 200 OK Set-Cookie: name=value Content-type: text/html   (content of page)
browser	⇐	server

The line Set-cookie is only sent if the server wishes the browser to store a cookie. In particular, it is a request that the browser stores the string name=value and send it back in all future requests to the server. If the browser supports cookies and cookies are enabled, every successive page request to the same server contains the cookie:

	GET http://www.w3.org/spec.html HTTP/1.1 Cookie: name=value Accept: */*
browser	⇒	server

This is a request for another page from the same server, and differ from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.

Beside the name/value pair, the server can send with the cookie an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. The path and domain strings tell the browser that the cookie has to be sent back to the server when requesting urls of a given domain and path. If not specified, the domain and path strings are assumed by the browser to be the domain and path of the requested. As a result, the domain and path strings tell the browser to send the cookie even when it normally does not. For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string. As an example, the following is a cookie sent by a Yahoo! mail server (the value string has been changed):

Set-Cookie: DX=g=1&q=abcd&gtr=sdfsfo; expires=Thu, 15 Apr 2010 20:00:00 GMT; path=/; domain=.yahoo.com

The name of this particular cookie is simply DX, while its value is the string g=1&q=abcd&gtr=sdfsfo. The server can use an arbitrary string as the value of a cookie. In this particular case, the server collapsed the value of a number of variables in a single string. The path and domain strings / and .yahoo.com tell the browser to send the cookie when requesting an arbitrary page of the domain .yahoo.com, with an arbitrary path.

Cookies expire in three possible conditions:

1. an expiration date has been specified by the server in the Set-cookie line, and has passed;
2. the server deletes the cookie explicitely by sending the string Set-cookie: name=
3. the browser deletes the cookie: this can be done by user request, at the end of the session if cookies are not persistent, etc.

Authentication

Cookies can be used by a server to recognize authenticated users and to personalize the web pages of a site depending on the preferences of a user. This can be done for example as follows:

1. the user inserts username and password in the text fields of a login page and sends them to the server;
2. the server receives username and password and checks them; if correct, it sends back a page (for example, a page confirming that the logging has been successful), together with a cookie; the server also stores the pair user/cookie;
3. every time the user requests a page from the server, the browser automatically sends the cookie back to the server; the server compares the cookie with the stored ones; if a match is found, the server knows that the request comes from a logged user, and also knows which user it comes from.

This is the method commonly used by many sites that allows logging in, such as Yahoo! and Wikipedia.

Personalization

Cookies can also be used for allowing users to make choices about the web site. For example, the Google search engine allows the user to choose how many results are to be shown for every query. The user selects such choices in the “preferences” web page, and sends them to the server. The server returns the main page of the search engine, sending a string containing all user preferences as a cookie. This way, every time the user returns to the search engine, the string with all user preferences are sent to the server, which can then personalize the requested page according to the user preferences.

Basket

Some on-line shopping sites allows a user, even if unlogged, to store a number of items in a virtual basket or shopping bag. The user starts navigating the site with an empty bag, and can add items to the bag while visiting the site. The list of items the user has chosen can be stored using cookies. For example, the server sends an empty cookie to the browser when the user visits the first page; whenever the user adds an item to the basket, the server adds the name of the item to the cookie.

Tracing

Cookies can also be used for tracing the path of a user while visiting the web pages of a site. This can also be done in part by using the IP address of the computer requesting the page or the Referer field of the HTTP header, but cookies allows for a greater precision of establishing the exact path a user has followed within the site. This can be done for example as follows:

1. if the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page;
2. from this point on, the cookie will be automatically be sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also store the URL of the requested page along with the date/time and the cookie in a log file.

By looking at the log file, it is then possible to find out which pages, and in which sequence, the user has visited. For example, if the log contains some requests done using the cookie id=dfhsiw, these requests all come from the same user. The URL and time/date stored with the cookie allows finding out which pages the user has visited, and at which time.

References

• Penenberg, Adam L. (Nov. 7, 2005). "Cookie Monsters". Slate.

External links

• RFC 2965 HTTP State Management Mechanism — current cookie specification (obsoletes RFC 2109) (IETF)
• Persistent client state - HTTP cookies - Preliminary specification (Netscape)
• Session Fixation (PDF)
• The unofficial cookie faq
• Cookies in JavaScript
• "Can you show me what XSS cookie theft looks like?" (excerpt from the Cgisecurity Cross Site Scripting FAQ)
• CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests : cf. 'Attacks May Be Persistent Through Poisoned Cookies' paragraph
• description of a cookie poisoning attack
• Are Cookies Dangerous An article explaining what cookies are and what to be careful of.
• SurferBeware.com Internet Cookie FAQ — Very comprehensive FAQ for cookies. How they work, their uses, threats to privacy and even Microsoft compliance policies.
• Cookie Central
• safecount.org An organization of marketing researchers explaining and defending safe cookie use.Template:FOLDOC

Template:Link FA

cs:HTTP cookie da:Cookie de:HTTP-Cookie als:Cookie es:Cookie eo:Kuketo fr:Cookie (informatique) ko:HTTP 쿠키 it:Cookie sw:Kuki hu:HTTP süti nl:Cookie (internet) no:Informasjonskapsel pl:Ciasteczka (internet) pt:Cookie sv:Cookie th:คุกกี้ (อินเทอร์เน็ต) zh:Cookie