Cookies; a brief explanation

	Cookies; a brief explanation

This page will explain what cookies are, and how they can be used. They cannot be eaten (not this kind!), but they are useful for a lot of other purposes. First off; what are they? Cookies are very small files (rarely bigger than 1 KByte) that some websites that you visit with your browser attempt to store on your hard disk, usually in a folder that your operating system has assigned for that purpose. They are usually used to store information about you, such as your preferences when visiting that site. For example, if you inquire about a flight schedule at an airline's website, the site might create a cookie that contains your itinerary. Or it might only contain a record of the pages you looked at within the site you visited, to help the site customize the view for you the next time you visit that site.	Figure 1
Cookies can also store personally identifiable information. That is information that can be used to identify or contact you, such as your name, e-mail address, home or work address, or telephone number. However, a website only has access to the personally identifiable information that you voluntarily provide. For example, a website cannot determine your e-mail name unless you provide it. Also, a website cannot gain access to other information on your computer. Cookies can thus not be used as spying tools, the way trojan horses can be used. There are several types of cookies, and you can choose whether to allow some, none, or all of them to be saved on your computer. If you do not allow cookies at all, you may not be able to view some websites or take advantage of customization features (such as local news and weather, or stock quotes). Enabling either Single or Class C affinity ensures that only one cluster host handles all connections that are part of the same client session. This is important if the server program running on the cluster host maintains session state (such as "server cookies") between connections.	Figure 1 above shows example of cookies. The first field shows the domain name or IP-address of the website which has provided the cookie. The second field shows the expiry date of the cookie. But it is not automatically removed at that date. It is either removed by the website the next time you visit, or by an anti-virus program that you might have set to do just that, usually at time of booting up the computer. You can also (of course!) remove the cookie manually. The third field shows the name of the cookie. But the name listed in Windows explorer is usually different, and has a "@" in it. The fourth field shows the content of the cookie, usually a long line of rather incomprehensible parameters. These are read and modified by a script on the website which put the cookie on your computer. Once a cookie is saved on your computer, only the website that created that cookie can read it.

This page will explain what cookies are, and how they can be used. They cannot be eaten (not this kind!), but they are useful for a lot of other purposes. First off; what are they?

Biscuits Cookies are very small files (rarely bigger than 1 KByte) that some websites that you visit with your browser attempt to store on your hard disk, usually in a folder that your operating system has assigned for that purpose. They are usually used to store information about you, such as your preferences when visiting that site. For example, if you inquire about a flight schedule at an airline's website, the site might create a cookie that contains your itinerary. Or it might only contain a record of the pages you looked at within the site you visited, to help the site customize the view for you the next time you visit that site.

Figure 1

Cookies can also store personally identifiable information. That is information that can be used to identify or contact you, such as your name, e-mail address, home or work address, or telephone number. However, a website only has access to the personally identifiable information that you voluntarily provide. For example, a website cannot determine your e-mail name unless you provide it. Also, a website cannot gain access to other information on your computer. Cookies can thus not be used as spying tools, the way trojan horses can be used.

There are several types of cookies, and you can choose whether to allow some, none, or all of them to be saved on your computer. If you do not allow cookies at all, you may not be able to view some websites or take advantage of customization features (such as local news and weather, or stock quotes).

Enabling either Single or Class C affinity ensures that only one cluster host handles all connections that are part of the same client session. This is important if the server program running on the cluster host maintains session state (such as "server cookies") between connections.

Figure 1 above shows example of cookies.
The first field shows the domain name or IP-address of the website which has provided the cookie.

The second field shows the expiry date of the cookie. But it is not automatically removed at that date. It is either removed by the website the next time you visit, or by an anti-virus program that you might have set to do just that, usually at time of booting up the computer. You can also (of course!) remove the cookie manually.

The third field shows the name of the cookie. But the name listed in Windows explorer is usually different, and has a "@" in it.

The fourth field shows the content of the cookie, usually a long line of rather incomprehensible parameters. These are read and modified by a script on the website which put the cookie on your computer.

Once a cookie is saved on your computer, only the website that created that cookie can read it.

Your Privacy Settings

Windows Internet Explorer allows the use of cookies, as do other browsers. However, you can change your privacy settings to specify that Internet Explorer should prompt you before placing a cookie on your computer (this enables you to allow or block the cookie); or you can prevent Internet Explorer from accepting any cookies altogether.
You can use the Internet Explorer privacy settings to specify how you want Internet Explorer to handle cookies from an individual website or all websites. You can also customize your privacy settings by importing a file containing custom privacy settings, or by specifying custom privacy settings for all websites or individual websites.
Privacy settings only apply to websites in the Internet zone. In the example at right (figure 2), you find a listing of all the websites that provide content to the website you are visiting. Since they are usually linked to this site, they can all, theoretically, want to place cookies on your computer. So, don´t be surprised if you end up with cookies from websites you have never been to!
You can see from this example that most contributing websites provide no cookies. There are two webpages on the site that is being visited that do, however. One cookie is here accepted, the other has been blocked.
You might have noticed that the "Privacy icon" appears in the Windows status bar whenever your privacy settings restrict an icon. And when a webpage you visit is thus prevented from placing a cookie in your computer, you will see the announcement in figure 3.
Example of Windows privacy report
Figure 2
Notice about the Privacy icon
Figure 3

Windows Internet Explorer allows the use of cookies, as do other browsers. However, you can change your privacy settings to specify that Internet Explorer should prompt you before placing a cookie on your computer (this enables you to allow or block the cookie); or you can prevent Internet Explorer from accepting any cookies altogether. You can use the Internet Explorer privacy settings to specify how you want Internet Explorer to handle cookies from an individual website or all websites. You can also customize your privacy settings by importing a file containing custom privacy settings, or by specifying custom privacy settings for all websites or individual websites. Privacy settings only apply to websites in the Internet zone. In the example at right (figure 2), you find a listing of all the websites that provide content to the website you are visiting. Since they are usually linked to this site, they can all, theoretically, want to place cookies on your computer. So, don´t be surprised if you end up with cookies from websites you have never been to! You can see from this example that most contributing websites provide no cookies. There are two webpages on the site that is being visited that do, however. One cookie is here accepted, the other has been blocked. You might have noticed that the "Privacy icon" appears in the Windows status bar whenever your privacy settings restrict an icon. And when a webpage you visit is thus prevented from placing a cookie in your computer, you will see the announcement in figure 3.	Figure 2 Figure 3

Types of cookies

Persistent cookies
A persistent cookie is one stored as a file on your computer, and it remains there when you close Internet Explorer. The cookie can be read and updated by the website that created it when you visit that site again.
Temporary cookies
A temporary or session cookie is stored only for your current browsing session, and is deleted from your computer when you close Internet Explorer. A "session" is here defined as the duration of time that you have a particular browser window open. You can visit several websites during a "session", and each of them can keep track of the session, either by using a Log-in (which is terminated by a timer on the website) or by a cookie.
First-Party vs. Third-Party cookies
A first-party cookie either originates on or is sent to the website you are currently viewing. These cookies are commonly used to store information, such as your preferences when visiting that site.
A third-party cookie either originates on or is sent to a website different from the one you are currently viewing. Third-party websites usually provide some content on the website you are viewing, as shown in figure 2. For example, many sites use advertising from third-party websites and those third-party websites may use cookies. A common use for this type of cookie is to track your webpage use for advertising or other marketing purposes. Third-party cookies can either be persistent or temporary.
Unsatisfactory cookies
Unsatisfactory cookies are cookies that might allow access to personally identifiable information that could be used for a secondary purpose without your consent.
Cookies for authentication purposes
Though designed to allow quick identification of users for personalized services, cookies increasingly are being used by some websites for authentication purposes. If someone is able to steal two Hotmail cookies from your computer, that person can gain access to your Hotmail account, even if you change your password. At Hotmail, the information contained in cookie files can be used to access an account even after that the password has been changed.
Making matters worse, security experts agree that gaining access to a user's cookie files is typically a "trivial" task. Microsoft said it has several measures in place to guard against "cookie-based replay attacks." Security experts, however, said that for users who want the convenience that cookies can provide, it will be very difficult to protect against attacks. Check out Wired´s website for more info.

Help programs for handling cookies

There are of course programs available on the web for handling cookies. I will just mention two of them here.
Paraben´s Cookie Manager works with Microsoft Windows (almost all versions) and with most browsers, and is a neat little program that works in coordination with your browser. It can be set to alert you every time a cookie is to be stored or updated on your hard drive, tell you where it comes from and asks you if it´s OK. Well, so can Netscape and Internet Explorer.
Zone Labs has a utility where you can have your cookie-folder scanned on-line. The result is presented as in the example in figure 5. If we click on the first cookie (for instance), Zone Lab´s "Alert Advisor" presents us with the following type of info (in very condensed form):
Type of threat: 3rd Party Cookie.
Description: 3rd Party Cookies are used to deliver information about your Internet activity to marketers.
Distribution: This cookie is set during visits to many different websites. The cookie originates from 2o7.net which is owned by Omniture, Inc. See the links section below for information regarding Omniture's Privacy Policy and other articles.
Privacy Violations: Yes. This type of cookie allows companies to track information about your Internet activity. This data can either be anonymous or connected with a particular user.
Which is quite informative. Example of Zone Labs Security Scanner result
Figure 5

There are of course programs available on the web for handling cookies. I will just mention two of them here. Paraben´s Cookie Manager works with Microsoft Windows (almost all versions) and with most browsers, and is a neat little program that works in coordination with your browser. It can be set to alert you every time a cookie is to be stored or updated on your hard drive, tell you where it comes from and asks you if it´s OK. Well, so can Netscape and Internet Explorer. Zone Labs has a utility where you can have your cookie-folder scanned on-line. The result is presented as in the example in figure 5. If we click on the first cookie (for instance), Zone Lab´s "Alert Advisor" presents us with the following type of info (in very condensed form):	Type of threat: 3rd Party Cookie. Description: 3rd Party Cookies are used to deliver information about your Internet activity to marketers. Distribution: This cookie is set during visits to many different websites. The cookie originates from 2o7.net which is owned by Omniture, Inc. See the links section below for information regarding Omniture's Privacy Policy and other articles. Privacy Violations: Yes. This type of cookie allows companies to track information about your Internet activity. This data can either be anonymous or connected with a particular user. Which is quite informative.	Figure 5

Are they spying on us?

Figure 6

Who are "they"? The government? Well, sure, but if we are to confine ourselves to talking about cookies here, so, sure, in a way, they are spying. And by "they", we mean:

a lot of those websites which perceive that they can sell us something
hackers
search engines
They all make cookies which they try to plant in our machines. First off, let´s be clear that the code contained in cookies cannot execute any program that alters anything in our computer, nor can the scripts in the cookies themselves do any such thing. They can only gather information, and only such information as you choose to make available to them.

Let´s look at Google, as an example. You can see from the example in figure 6 above, that both Goggle.com and Goggle.se have planted cookies in one of my machines.

The expire date is set to year 2038, so those cookies are intended to stay there after I´m dead and buried, if not my hard disk goes to the junkyard before then.

Looking at the content, we can see I have been assigned a 16-digit ID-number. This ID-number is unique for me; none other in the world has exactly the same number. This number is stored in a HUGE data base at Google, and every time I visit their website they will check this number and match it with the IP-address that I have. Since this computer happens to run via a modem to a modem pool at my ISP (= Internet Service Provider), I get a new IP-address from the ISP´s server every time I connect to the Internet.

What does Google do with this information? Presumably building up information storage for future commercial use. But Google Inc. is an American company. Suppose I did something "bad" on the Internet, and the US authorities wanted to track me down. Google whould in all likelihood have to reveal this information about me. So, by seeing my IP-addresses, they will know which webserver I have been using for accessing the Internet, and thus, they will know the identity of my ISP.

Next, they will ask my ISP to reveal logging information from their server for the relevant time. Using this, they can match my IP-address with my phone number, and from my phone operator they can then find out my address. If I was not smart enough to use a mobile phone with an unregistered number or a public phone booth when I performed my "clandestine" activities, they can nail me down.

Now, if you read this again, you will note that it is quite sufficient for me to have made just one call from my private home telephone to the ISP modem pool, and all the others from a phone booth, they can still find me, because they can match my ID-number with all calls I have made to Internet, where I have been using Google´s services. They have my Google ID-number. All they need is one instance where my private phone number can be tracked down.

Naturally, I could use "session"-cookies, i.e. I could set my anti-virus-program or any other program suitable for the purpose to delete my cookies after every visit to the Internet. Then, next time i visit Google they can´t be sure who I am, and thus I´ll get a new ID-number. So; be smart, not paranoid.

How it works

If you look at figure 7 at right, you can see how a cookie is handled in a simple scenario. It could go like this:

The commercial site uploads a webpage to its webserver.

The webpage references scriptcode that instructs the browser of the visitor´s computer to store a cookie on its hard disk.

So, when a browser fetches that webpage, it attempts to store that cookie on the visitor´s hard disk.

The visitor´s actions; what pages he visits, what links he clicks on, what answers he provide to qeries, etc. are noted by scripts on the servers. Some of this information is passed back to the cookie on the visitor´s computer.

The information stored on the server is retrieved and processed, often in real-time.

At future visits to the same webpage, the scripts checks for the cookie. If it´s still there, the stored information is retrieved, and helps the visitor in various ways, such as providing preferred webpages and key information whenever he fills in forms, saving him a lot of typing.
Example of how a cookie is handled
Figure 7

If you look at figure 7 at right, you can see how a cookie is handled in a simple scenario. It could go like this: The commercial site uploads a webpage to its webserver. The webpage references scriptcode that instructs the browser of the visitor´s computer to store a cookie on its hard disk. So, when a browser fetches that webpage, it attempts to store that cookie on the visitor´s hard disk.	The visitor´s actions; what pages he visits, what links he clicks on, what answers he provide to qeries, etc. are noted by scripts on the servers. Some of this information is passed back to the cookie on the visitor´s computer. The information stored on the server is retrieved and processed, often in real-time. At future visits to the same webpage, the scripts checks for the cookie. If it´s still there, the stored information is retrieved, and helps the visitor in various ways, such as providing preferred webpages and key information whenever he fills in forms, saving him a lot of typing.	Figure 7

Example of Cookie

Here is a simple example of a cookie, generated with JavaScript, connected to this webpage. The script asked you for your name the first time you came to this page, as you probably noticed. It then stored that name (if you provided one) in a cookie which it placed on your hard drive. If you don´t allow the storing of cookies, this should still work, as long as you have your computer running. This little cookie does not do anything but keep track of your name, and the number of times you have visited this page. Every time you fetch this webpage anew, you will see that the little counter at left increases one step.

Last Updated: 2007-01-02	Author: Ove Johnsson