Saturday, 1 December 2007

Cookie Primer.

In contradiction to the claim that no information is sent from your computer to anybody outside your system, the majority of cookies are interactive (that is, information is not only written to them but also read from them by web servers you connect to).

Cookies are an HTTP mechanism that is widely used by Web servers to store information on a Web client. This information is in the form of a small amount of text. This text is transmitted in special HTTP headers.

Tools such as WebScarab can be used to view cookies inbound over the wire. This is more effective than browser controls as:

  • JavaScript embedded on the webpage may be used to create cookies where IE and other browsers will not prompt the user
  • The cookie could have been stored on hard drives from a previous session. In this case is not a new inbound cookie and the browser will not prompt the use

Persistent Cookie (File based and stored on Hard Drive)
System cookies are stored hard drive and expire at a future date. They are only deleted by the system after the Expires date passes. The deletion of these cookies assumes that the browser has been opened after this event.

Session Cookie (Memory Based)
Session cookies will expire either by date or when the browser has been closed. This is because they are only stored in memory and are not written to disk.

Cookie Flow

Cookie Headers
HTTP 1.0

  • Set-Cookie from server to browser
  • Cookie from browser to server

HTTP 1.1

  • Set-Cookie2 from server to browser
  • Cookie2 from browser to server

The standard is that the Web browser should allow at least 4096 bytes per cookie.

The 6 Parts of a Cookie
(Netscape specifications – all similar, but there are some differences in terminology)
This is an arbitrary string used to identify the cookie so that a Web server can send more than one cookie to a user.
The domain specification contains the range of hosts that the browser is permitted to send a cookie to. This is generally a DNS specification and can be spoofed.
This is the range of URL’s where the browser is permitted to transmit the cookie.
The time on the host system when the browser must expire or delete cookie.
This flag signifies that the cookie will only be sent with SSL enabled.
The data section is the arbitrary strings of text contained within the cookie.
Part 7 of 6– P3P Field
Not technically part of the cookie, the “platform for privacy preferences” (P3P) field is a compact policy sent by the Web server using a HTTP header. IE v6 Web browsers will enable users to automatically accept cookies from sites with certain privacy policies.

The P3P specification may be found at: Http://

Some links on Cookies:

Cookies and the Law
Companies use cookies as a means of accumulating information about web surfers without having to ask for it. Cookies attempt to keep track of visitors to a Web site and to track state (as HTTP is session-less and stateless). The information that cookies collect from users may be profitable both in the aggregate and by the individual. Whether the convenience that cookies provide outweighs the loss of privacy is a question each Internet user must decide for him or herself. [3]

America OnLine has been accused of selling data based information about users. [4] This has led to an effort on the part of cookie proponents to control the amount of information that cookies collect. [5]. The Federal Trade Commission determined that Geocities, a popular web site where users input personal information, was selling information in apparent violation of its own privacy policy. [5]

Criticism of cookies has included fear of the loss of privacy. This is an issue primarily due to tracking cookies.

Tracking Cookies
HTTP is made to be “sessionfull ” by using either:

  • URL re-writing
  • Cookies

In the domain and path field of the cookie, a vague domain entry will allow the user’s browser to transmit the cookie to any machine in the domain listed. A cookie with “.com” for instance in the domain field and a path of “ / ” will allow any host in the “.com” domain to receive the cookie.

This is of course a privacy concern.

Tracking cookies are often used by advertising firms. They have their clients create a cookie that may be collected by any domain. In this way they can collect information they can be stored in databases for later correlation.

Cookies are generally legal. The issue comes when poorly configured cookies are utilised, on this account case law is sketchy at best. In Europe under the privacy provisions of the EC, it could be argued that accessing a tracking cookie that you did not create specifically (as is done by the advertising companies) is technically illegal.

In a similar fashion, it could be argued that access by third parties to cookies is an unauthorised access to data under US federal law.

The problem of both of these examples is that the law is untested. The easiest path is generally to seek a breach of contract (a privacy contract as sent within a cookie is a legally enforceable contract). In Europe breach of this contract could be a criminal offence.

An issue is that DNS spoofing is easy (and cookies rely on DNS).


  1. Peter Krakaur, Web Cookies, Fortune Cookies, and Chocolate Chip Cookies.
  2. Stephen T. Maher, Understanding Cookies: A Cookies Monster?
  3. Jonathan Rosenoer, Cyberlex, July 1997.
  4. See Webcompanies Announce Privacy Standards (announcing partnership of Netscape, VeriSign and Firefly).
  5. Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information Agency's First Internet Privacy Case, FTC News Release, August 13, 1998.
  6. See, e.g., Deja News.

No comments: