HTTP cookie An HTTP cookie (usually called simply a cookie) is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server. They were invented by Lou Montulli, a former employee of Netscape Communications. Purpose Cookies can contain any arbitrary information the server chooses and are used to maintain state between otherwise stateless HTTP transactions. Typically this is used to authenticate or identify a registered user of a web site as part of their first login process or initial site registration without requiring them to sign in again every time they access that site. Other uses are maintaining a "shopping basket" of goods selected for purchase during a session at a site, site personalisation (presenting different pages to different users), and tracking a particular user's access to a site. Permission A browser may or may not allow the use of cookies. The user can usually choose a setting. Microsoft Internet Explorer Tools > Internet Options > Privacy Tab Use slider to set options, or use advanced options Mozilla Firefox Tools > Options > Privacy OR Edit > Preferences > Privacy Set options under Cookies Exceptions allows per domain settings of block/allow Stored Cookies opens a cookie management window, showing details of stored cookies, allowing them to be deleted or blocked Permanence A cookie often stays on the user's computer for use in the next session (though it can be erased by the user in between), but it can also be for use within a session and be erased at the end of the session. Identification If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a computer and a web browser. Thus, a single person who uses multiple browsers and/or computers will have a distinct set of cookies for each computer/browser combination. On the other hand, cookies do not differentiate between multiple users who share a computer and browser, unless they use different user accounts. Opposition to cookies Some people are opposed to the use of cookies on the Web. Below are some of their reasons. Inaccurate identification See above. Privacy, anonymity and advertising Cookies also have some important implications with respect to a user's privacy and anonymity on the web. One way is that some companies monitor users' visits to disparate web sites for marketing purposes. Some sites contain images called web bugs (that are transparent and only one pixel in size, so that they are not visible) that place cookies on all computers that access them. E-commerce websites can then read those cookies, find out what websites placed them, and send e-mail spam advertisements for products related to those websites. Companies that use this system defend it as an effective way to give consumers access to products in which they are likely to be interested. If sites that place these tracking cookies are paid by the commercial operator, the revenue can allow them to place their content online at no cost to the creators. Sweden has passed legislation concerning cookies, mandating that sites that use them include a statement to that fact, and includes instructions on how the user can avoid them. Cookie theft and poisoning by cross site scripting based attacks Even if cookies are not dangerous per se, they contain information corresponding to a particular context : user, computer, web browser, and above all domain served by the web server from where it originated. Bypassing this context, i.e. having this information 'leak' out of this context is undesirable for the user, especially when the cookie data contains personal information. This bypassing in turn represents a valuable undertaking for an attacker. Cross site scripting is the tool of choice to achieve this goal. Among the threats of cross site scripting attacks, cookie theft and cookie poisoning present a risk to the user, in that they enable a transgression of the context and the trust it carries. cookie theft: gathering of the user's cookie, sent to the attacker's website. The attacker can then use the cookie information for session hijacking of the user's account on the trusted/affected website. cookie poisoning: bypassing the security mechanism of context based trust, the attacker can inject code resulting in a modification of the cookie content, hence making the attack persistent. The Future of Cookies A few alternatives to cookies have been proposed, e.g. The Brownie project, an open source project at SourceForge. Brownies were to be for sharing across multiple domains, as opposed to cookies that are (supposedly) constrained to a single domain. The project is no longer in development. References External links Persistent client state - HTTP cookies - Preliminary specification (Netscape) Session Fixation (PDF) The unofficial cookie faq "Can you show me what XSS cookie theft looks like?" (excerpt from the Cgisecurity Cross Site Scripting FAQ) CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests : cf. 'Attacks May Be Persistent Through Poisoned Cookies' paragraph description of a cookie poisoning attack Are Cookies Dangerous An article explaining what cookies are and what to be careful of. FAVORITE ARTICLES: History of the World    History of the United States    History of Europe    Ancient History    History    Military History    World War I    Bombing of Dresden    California    US Constitution    Frank Sinatra    Boston    Marbury v. Madison This article is licensed under the GNU Free Documentation License at http://www.gnu.org/copyleft/fdl.html You may copy and modify it as long as the entire work (including additions) remains under this license. You must provide a link to http://www.gnu.org/copyleft/fdl.html To view or edit this article at Wikipedia go to http://www.wikipedia.org/wiki/HTTP_cookie