COOKIES

Abstract

Cookies are a very useful tool in maintaining "recognition markers" on the Web. Since the protocol we use to visit and retrieve Web sites is considered to be "stateless" (i.e. non-permanent) protocol, it is impossible to differentiate between visits to a web site, unless the Web sites server can somehow "mark" or a identify a visitor. This is done by inserting a tiny piece of unique but anonymous information (cookie) into the visitor's browser.

Cookies can store database information, personalised Web page settings, and security indicators or for that matter just about anything that makes a site individual and customisable. You might say cookies are a little like dropping your laundry at the dry cleaners and getting a docket (that’s the cookie bit), a sort of identity proof. When you return with that same ticket, you hopefully get that exact same laundry back.

Just Exactly What is a Cookie?

Remember HTTP (Hyper Text Transfer Protocol)? If you don’t, they are the characters you usually see just before the "www" bit; it goes something like http//www.abc.net.au. It’s the protocol or underlying "set of rules" the Web pretty much uses to run itself on. When you type in a Web address, it is the HTTP instructions on how to behave when going and out and getting Web pages and bringing them back to your computer for you to view and interact with.

Well, a cookie is simply an additional string of characters that represent rules of operation between you and the remote Web site that are loaded into your browser’s memory to assist the HTTP instruction set, bit like a token really. This Cookie string contains information on: where the cookie came from, how long it will live, and other information about the website that sent or "set" it. If the lifetime of this cookie is longer than the time the user spends at the remote Web site, then this cookie information is saved as a file on your hard drive to be used again when next you visit this same site.

Where Did The Term Cookies Come From?

No, this cookie is not something Gran’ma gives you. In Web terms, Netscape laid down the cookie specification for the very earliest version of its Navigator, the first browser to use the technology. Although its name is amusing, there isn’t anything particularly unusual about its origin. It is a generally recognised computer science term used to describe an "opaque" piece of data held by a go-between piece of software. In this sense the term fits the Web usage precisely; it simply has not been a well-known term outside of computer science circles.

Why Do Sites Use Cookies?

There are many reasons a Web site would wish to use cookies. These range from the ability to personalise information (like on My Yahoo or Excite Web sites), or to help with on-line sales/services (like on Amazon Books or Microsoft), or simply for the purposes of tracking popular links or demographics (like DoubleClick).

Cookies also provide programmers with a quick and convenient means of keeping site’s content fresh and relevant to the visitors interests. Web servers now also use cookies to help with the "behind the scenes" interaction as well, such as being able to securely store personal information that the visitor may have shared with the site.

Is It Possible To Delete Cookies?

Yes you can, easily. Whether your browser is Netscape or Microsoft’s Internet Explorer your cookies are stored in a simple text file that you can delete whenever you wish.

To do this correctly, firstly remember to close or exit your browser. You need to do this because all your cookies will be held in memory until you shutdown your browser. Consequently, if you delete the file while your browser is still open, it will produce a new cookie file whenever you close it, and just like magic your cookies will reappear.

It is worth considering that by deleting your cookie file(s) entirely will require you to "start all over from scratch" with all those web sites you normally visit. So, it may be preferable to open the cookies.txt file (in the case of Netscape) and remove only the entries you don't like. If you use Internet Explorer, go to the cookies folder and delete the files from the Web servers you don't want.

I Don’t Want Cookies, How Do I Set My Browser To Reject Them?

Early versions of Netscape and Microsoft Internet Explorer allow a nominal level of cookie verification. They allow only an "alert before accepting cookies" setting. This means you can identify each cookie as it comes in, and allow it "in" or reject its acceptance.

Later versions of both Netscape and Internet Explorer go further. They have options that will allow you to accept all, some, or none of your incoming cookies. They also retain "warn before accepting" type feature still present in both, if you want to screen your incoming cookies.

More advanced options will allow you to choose the security level for four different browsing conditions: Internet Sites, Local Sites, "Trusted" Sites, and Restricted Sites. Once a cookie is rejected, it is thrown out and not saved to memory or disk. Don't forget, though, that remote Web servers will keep looking for the cookie even if you have discarded it and may try to replace it even as you continue to surf.

This situation can become bizarre if you think about it. Essentially, without a cookie to tell the server who you are, it can't remember not to send you any more cookies.

Are Cookies Dangerous to My Computer?

On their own and in context, NO. A cookie is just a small simple piece of text. It is not a program, or add-on software. It can’t be used as a virus, and it certainly cannot access your hard drive of its own accord. It’s your own browser, not a programmer that saves cookie values to your hard disk if it needs to, but that is the full extent of their effect on your system.

How Do Cookies End Up On My Hard Drive?

After a cookie is transmitted through an HTTP header, it is stored in the memory of your browser. This way the information is quickly and readily available without re-transmission. As we have seen, however, it is possible for the lifetime of a cookie to greatly exceed the amount of time the browser will be open.

In such cases, the browser must have a way of saving the cookie when you are not browsing, or when your computer is shut off. The only way the browser can do this is to save the cookies in memory to the hard drive. This way, when you start your browser a few days later, you still have the cookies you had previously.

Will Cookies Fill Up My Hard Drive?

Both Netscape and Microsoft have limits in place to maintain the number of cookies that will be kept on your hard drive at one time.

Netscape limits the total amount of cookies to about 300. If this is exceeded the browser discards your least-used or oldest cookies to allow for new ones. Microsoft saves cookies into the "Temporary Internet Files" folder, a system folder where you get to set the maximum amount of storage space used (the default is 2% of your hard drive).

In any event, the average size of a cookie ranges from 50-150 bytes, a very small amount. Around 20 million cookies would be needed to fill up a 2Gigabyte Hard drive. This is highly unlikely.

Can Cookies Be A Threat To My Privacy?

As with everything else about the Internet, you are only as anonymous as you want to be. The unfortunate fact is that revealing any kind of personal information on the Web provides the capacity for that information to be spread. By their very nature Web servers allow for the tracking of your surfing habits, and the gathering of other information about you over time.

While cookies themselves cannot gather the data, they are, unfortunately, used as a method to track and help those people who are gathering that information. As information is gathered about you, it is associated with the value they keep in your cookie.

To reiterate, a cookie alone cannot read your hard drive to find out who you are, derive how much you earn, which credit card you use or spy on where you live. The only way that information could end up in a cookie is if you alone provide it to a site and that site saves it to a cookie.

How Come Sites Are Telling Me To Turn On My Cookies When I Know They Are Already On?

There are three likely problems. Firstly, the site you are visiting is not detecting your cookies properly. Thus, it may appear to the site that you are rejecting the cookies it is transmitting when that is not true.

Secondly you may also be using software that intercepts cookie usage. There are lots of filtering and blocking software programs that will do this for Internet users these days. Many of them also filter cookies. Obviously this stops you either sending or receiving cookies.

Lastly, your computer may be situated behind a security firewall or proxy server whose job it is to prevent cookie transmission. Corporate and business environments are especially prone to using these safety mechanisms. So, regardless of how your browser is set, cookies won't be sent or received by your browser.

Since Deleting My Cookies, I Can't Log-On To My Favourite Site.

Many sites use a cookie to keep track of your settings on their servers, and to help you log in to their site. So if you lose your cookie, that site has no way of identifying you and recalling your settings for you to use.

The best thing in this situation is to contact that site's Webmaster or call their support department.

I’ve Never Been To Doubleclick.Net? How Come I've Got Their Cookie?

A server cannot set a cookie for a domain or site that it doesn’t belong to. Having said that, many, many Web users have received cookies from "ad.doubleclick.net" at some point in time, even though they have never visited there. DoubleClick and other advertisers employ clever but questionable techniques that enable them to track users and send advertising without violating this rule.

Most sites on the Internet that advertise usually do not store their advertisements locally. Instead, they subscribe to an advertising service that puts advertisements up for them. Once the request is made to the advertising service to push up an ad, it can return more than just that ad. It can also return a cookie. Or, if it sent the user had a cookie previously, it can read that first, and check to see what type of ad to send. Either way the net result is that the user gets a cookie from the media service without ever having visited the actual advertisement site. Very sneaky!

This type of (mis)usage of cookies is undoubtedly one of the most controversial; it has created highly opposing views on cookies, their privacy, and the Internet.

Explorer Cookies Have My Username On Them! Who Else Can See This?

Because Windows systems allow more than one user to login and use programs, Microsoft had to come up with a way to keep each user's cookies separate on a given machine. This can be common in workplaces, where many employees share or network machines.

This is accomplished by appending the username to the cookie file name. This way, both Lisa Hampshire and Andrew Dunkley can get cookies from xyz.net.au and they don't get over-written. This also stop's Lisa from using Andrew’s cookies when she's surfing, since the browser will only use her cookies when she is logged in. That is, the cookie file: Lisa.hampshire@xyz.net.txt contains Lisa’s cookie for xyz.net.au. If anyone else logs-in, then this cookie is not used.

This is the only reason that the username is part of the cookie file name. The username does not get sent to the server with the cookie data.

Where Does Internet Explorer Keep Its Cookies And How Are They Named?

Microsoft keeps its cookies in different locations, depending on the version you are using. On early versions cookies are in the folder c:\windows\cookies. In later versions they are in the c:\windows\Temporary Internet Files folder. Although the location is different, the format is the same. Each individual domain's cookies are stored in their own file, along with the username that accessed the site. For example, if I went to Yahoo I would get a cookie that is stored in the file arthurh@yahoo.com. Note that the username is not sent with the cookie.

Arthur Hissey
Computer Research & Technology
www.crt.net.au