Cookies got much attention in internet security area in and around 2000. At that time the most popular definition of cookies was like this. Cookies are programs inserted by website on your hard disk when you visit the site. They collect all information related to your activities and it is sent to the website owners. This definition is a wrong and misleading one.
Actually cookies are small piece of text, not programs. Can a simple text collect all the information related to you? Can this simple text communicate automatically with its website owner? The fact is that it cannot collect any information from you. Cookies consist of some Name Value pairs. They are set by the website.
When you visit a site, server set a user id for you and it is inserted in your hard disk. When you visit again this site, the server can recognize you as a previous visitor. If you deleted the cookie, then you will get a new user id and assigned as a new user. Usually user id is collected. But many site are inserting other values like session time and session id too.
How data moves using Cookie?
When you enter a URL, browser will send a request to the corresponding server to retrieve data. For example, when you enter WWW.GOOGLE.COM, the browser will check for cookies related to Google. If it is found, the data in the cookie is send along with request.
There are also options in our browser to remove cookies. Cookies actually provide easy user interface with the website.
.gif)
2 Responses So Far:
Thanks for this quick note. I also heard similar things but while programming myself never saw a program called cookie.
Agree with your arguments that is not directly a threat to security. Following things may still be good to be aware of:
a) Some programs badly written may expose some useful information, by storing it in the cookies which others may misuse. For example user id itself.
b) Since cookies are stored and used by the programs at later stage and if this application is saving cookie that support authentication etc. and you had used shared computer, others may have access to your data on next use.
Even this explanation oversimplifies to the point of slightly misleading.
[quote]When you visit a site, server set a user id for you and it is inserted in your hard disk.[/quote]
More accurately, the server instructs the browser that it _should_ save the cookie value (i.e. "write it to the hard disk") and which domains/URLs should be able to read it.
Different browsers and extensions have the ability to customize what happens after the browser receives this instruction. Some browsers conditionally allow cookies (if the website/domain/URL/cookie is not blacklisted) and some flat out deny all cookies (i.e. "Privacy Mode") which also has the side effect of not allowing the website to know that you've registered/logged in (authenticated) previously.
I think I'd also like to see some of the common misconceptions debunked as well. There have been a lot of FUD articles/postings since cookies became a fear issue circa 1994. A few websites have completely misused them and a few older browsers did not do enough to secure cookie files.
This is a good first pass! Thanks.