LIS 525 - Cookies

What Cookies Are

A cookie is a small piece of information. A cookie may be sent to a browser along with an HTML page or it may be created dynamically in the browser by a script in a language such as JavaScript (as is done on this page) or Flash. When a cookie is created, the browser generally saves it to the hard drive. When the same server is accessed at a later time, the stored information can be sent back to it.

A cookie is always associated with a specific domain. The browser will only return the cookie to that domain; no other site can request it. The domain does not have to be the same as that of the page that created the cookie, however.

Persistent cookies have an expiration date, after which they will be deleted; session cookies disappear when the browser is closed.

According to Security Space (October, 2007), about 27% of Web servers send cookies.

How Cookies Are Transmitted and Stored

Cookies can be inserted in the HTTP header at the server side by a CGI script or by other server side instructions such as those in Active Server Pages.

The following format can be used in the HTTP header to set a cookie on the browser's machine:

Set-Cookie: name=value; expires=date; path=path; domain=domainname; secure
name=value is the only required attribute of the cookie: name is the name of the cookie, and value is a string of characters. The format of the expires value is Wdy, DD-Mon-YYYY HH:MM:SS GMT. The default value of domain is the host name of the server. The path value specifies the subset of URLs in a domain for which the cookie is valid; the default value is the path of the document described in the HTTP header. If secure is included, the cookie will be sent back only to a secure (SSL) server. An example (taken from Google) is
Set-Cookie: PREF=ID=3ad3336f16f46902:LD=en:TM=1020177524:LM=1020177524:S=d5Bj1fRughE;; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT

When accessing a URL, the browser checks it against all cookies and, if any of them match, a line containing their names and values is included in the HTTP request, with Cookie in place of Set-Cookie; for example

Cookie: PREF=ID=1d8f58976d9d2204:TM=1020177794:LM=1020177794:S=JAZ052LRrQE;; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT

In Netscape Navigator and Firefox, cookies are stored in a file called cookies.txt. In Opera, they are stored in a file called cookies4.dat in the profile folder of the Opera folder in Program Files. In Internet Explorer they are stored in separate files in the cookies folder, which may be in the Windows folder or in a subfolder of Documents and Settings.

How Cookies Are Used and Misused

Sites with "shopping carts" may use cookies to keep track of what users have selected on various pages. A cookie may also store a username and/or password so that these do not need to be given each time the user switches to another page or returns to the site, though this provides bad security unless encryption is used. A cookie may contain a unique tracking number, for example to reveal how many times a particular user has accessed a site.

Some Web sites misuse cookies: they distribute them to other servers (such as DoubleClick) and use them to spam users or invade the users' privacy.

What Users May Do About Cookies

Browser users are normally advised to accept only cookies that get sent back to the originating server. Users may also disable all cookies (and older or specialized browsers may not even support cookies), but they are less likely to do this because a number of sites now require cookies for access. Users can set the browser to prompt them before accepting a cookie, but the result can be quite annoying to them because of the number of cookies sent by some sites.

In Netscape Navigator, cookie preferences can be set in the "Privacy & Security" part (or, in earlier versions, in the "Advanced" part) of the "Preferences" dialog; in Firefox, under "Privacy" in the "Options" dialog; in Opera, under "Privacy" in the "Preferences" dialog; in Internet Explorer, at the "Privacy" tab of the "Internet Options" dialog (or, in earlier versions, in the "Security Settings" dialog, which is accessible with the "Custom Level" button at the "Security" tab).

Users may run software to clean out or control cookies; examples are HistoryKill, WebRoot Window Washer, Cookie Pal, ZDNet's Cookie Master, and Cookie Cruncher. Software, such as Ad-Aware and Spybot, designed to remove spyware and adware may flag cookies for removal.

Internet Explorer, Firefox, Opera, and Netscape Navigator all allow blocking of cookies by Web site. Internet Explorer, Firefox, and Netscape Navigator allow clearing of all cookies (Opera can be set to delete all new cookies on exit).

Internet Explorer 6 by default is set up to block cookies from sites that do not have proper P3P (Platform for Privacy Preferences) files installed. This setting is also available as an option in Netscape Navigator.

For More Information


Last updated October 31, 2007.
This page maintained by Prof. Tim Craven
E-mail (text/plain only):
Faculty of Information and Media Studies
University of Western Ontario,
London, Ontario
Canada, N6A 5B7