A HTTP cookie or a cookie module is a special text, often encoded, bouncing between the server, the internet browser and then again the server, each time when the browser accesses that server. Cookies are used for authentication and for tracking user behavior; typical applications include retaining user preferences and implementing the popular "shopping cart ".
While there are some misconceptions regarding the cookies, most of them are based on the wrong impression that these text files could contain executable code; in fact, they solely contain plain text, therefore cannot execute any operation. They are not spywares or viruses, although some antivirus and anti-spyware programs can detect them.
Cookies are used by web servers to differentiate users and to react according to their actions in a session consisting of several separate transactions. They were invented in order to implement a virtual shopping cart. Usually, the user will first authenticate through the log in form and then browse through the website, add or remove items from the basket. In the end, the user will want to see all the items put into the basket, a final price and then decide to order, cancel some items, add new ones etc. All these will end by closing the session from the log out button.
User authentication on a server is another application of cookies; these files will let the server know that a user has logged in and, consequently, the server will grant that user access to actions only designated for users.
Cookies typically contain user data without much importance for the user himself or for the browser, but with tremendous importance for the server. The browser receives the file and returns them to the server, introducing a "memory " of the events listed in the HTTP request. That request is timeless (otherwise said, each request is an isolated event, without any connection with other previous or future HTTP requests passed to the same server). However, by returning a cookie to a server, the server will be able to link current demands with previous requests (the same server that sent the cookie), thus creating a so-called session. In addition to servers, cookies can also be created by web applications that run on the server and that communicate with clients via HTTP, being written in programming languages such as Java or C# or in scripts running on the server.
When creating a cookie the removal date can be specified; otherwise, it will be deleted when closing the browser. An online shop however might want to retain the content of your shopping basket between sessions, so that the next time you visit the shop you will not have to look back at all the products. In this case, the server hosting the online shop will create a cookie with a slightly longer removal term. Only cookies with a long-term removal status, explicitly stated, will "survive" between sessions, in which case they may be called 'persistent'.
Misconceptions regarding cookies are as old as the mechanism itself. In 2005, Jupiter Research published the results of a survey, according to which a large part of the respondents believed that:
- Cookies are similar to worms and viruses, being capable to erase data on your hard disk;
- Cookies are a form of spyware, capable to read personal information stored on your PC;
- Cookies generate popup (ads that suddenly show up once you navigate on a particular web page, and that are extremely annoying);
- Cookies are used to send spam;
- Cookies are a form of ads.
In fact, cookies only contain data, not code (executable instructions): they cannot delete or read anything on the user's PC. However, they allow the detection of the pages a user visits on one or more sites. This information can be collected inside an anonymous user profile, which only contains an IP address – NO personal information such as name or address, unless the user has indicated the personal data itself. Despite the fact that these navigational preferences are stored, in theory, as anonymous, they have still raised suspicions regarding the anonymity of the internet user.
Moreover, according to the same survey, many respondents did not know how to erase the cookies retained by their browsers.
The HTTP protocol includes mechanisms (such as digest access authentication ) that allow access to a Web page only after providing a username and password, which the browser retains and transmits to the application server at each requests, without the user entering it every single time; from this point of view, things happen as if the browser would have used cookies. Nevertheless, password (and username) transmission is delicate, as the traffic can be intercepted. The session identifier (information that could have been intercepted if cookies were used) expires quickly after it was used, making it useless for a potential attacker looking to steal your credentials.
Cookies expire, and therefore are not sent by the browser to the server under the following circumstances:
- At the end of a session (for example, when the browser is closed) if that is not a persistent cookie
- If an expiration date was specified and that date is in the past at the moment of navigation
- If the expiration date is changed (by server or script) to a date in the past
- If the browser deletes the cookie on the request of the user
The third condition allows a server or a script to explicitly delete a cookie
Cookies can be used by servers to recognize authenticated users and to edit pages and send them according with the users’ preferences (personalization). For example:
- The user enters the username and password in the editing fields of a page and sends it to the server;
- The server receives the username and password and verifies it; if correct, it sends a confirmation page to the user, together with a cookie; also, the server stores the pair name/cookie (or just the cookie);
- Every time a page on that server is accessed, the browser sends the cookie together with the request; the server compares the received cookie with the previous stored version, deciding whether it is an authenticated user or not and sending the appropriate page.
This is the method used by almost all sites.