Understanding Cookies

In this article…
What are cookies?
Anatomy of a cookie
How cookies work
Rules for creating cookies
Cookies and privacy
Points to remember

What are cookies?
Cookies are files that webservers (or websites) store on a user’s computer. These files contain some data specific to the website creating them. The most common use of cookies is to track usage of the website by a user. Contrary to what some people believe, they cannot erase your computer’s hard-disk or read other information from your computer.

Anatomy of a cookie
A cookie has several attributes or properties that can be set. They are shown below:

Name: The name of the cookie.
Value: The value of the cookie.
Expiration: The expiration date of the cookie. This determines how long the cookie will remain active in your browser.
Path: The path the cookie is valid for. This sets the URL path the cookie is valid in. Web pages outside of that path cannot use the cookie.
Domain: The domain the cookie is valid for. This takes the path parameter one step further and makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.
Secure Flag: If set, the cookie can only be transmitted over a secure server connection, such as a site using SSL.
HTTPOnly: If set, this will ensure that the cookie cannot be accessed by client side scripts (JavaScript/VBScript). The cookie will only be accessed by the browser to be sent with a HTTP (or HTTPS) request.

How cookies work
When you make a request to a website, the browser looks for any unexpired cookies that are present on the computer and sends them to the server. This is done by the browser and is transparent to the user. If no cookies for that website exist, then no cookies are sent.

When a cookie is sent from the server to the browser, an additional line is added to the HTTP headers.

Content-type: text/html Set-Cookie: MyCookie=MyValue; path=/; expires Mon, 01-Jan-2038 12:00:00 GMT
This will result in a cookie with name ‘MyCookie’ that has a value ‘MyValue’ being stored on the user’s computer. The cookie will be visible to the entire site since the path is ‘/’. This cookie will be read and sent by the browser everytime the user visits the same website until Jan 1, 2038 unless the cookie is manually cleared or the website changes the expiration date on a subsequent visit.

Cookies can be set from the browser-side or from the server-side. Scripting languages such as JavaScript or VBScript can be used to set a cookie from the browser. Server-side programming languages usually provide methods to a cookie. Setting a cookie’s value to null or setting the expiration date to a date in the past will clear the cookie. If no expiration date is specified, the cookie is considered a session cookie. This means that the cookie will not be stored on the user’s computer and will be cleared when the browser is closed.

Rules for creating cookies
There are some rules imposed on cookies:

  1. Cookies cannot be set for domains other than those that the response originates from. In other words, a page on www.website.com can set a Cookie that is visible to website.com and www.mwebsite.com, but not www.someotherserver.com.
  2. The cookie HTTP header must be no more than 4K in size.
  3. RFC 2109 compliant browsers limit the total number of cookies to 300 (including a limit of 20 cookies per individual domain). If the number is exceeded, the browser will discard the least-used cookies to make room for the new ones.

Cookies and privacy
Depending on what is stored in them, cookies can impact privacy. A lot of websites allow users to automatically login when you visit the site. This is usually done by storing authentication credentials in a cookie on the user’s computer. When the user visits the website, these are sent to the site by the browser and the user is logged in. Many websites also give users the option of storing credit card information so that they dont have to type them in everytime, by storing them in cookies.

If some unauthorized person were to get access to these cookies, it may be possible for unauthorized persons to login to websites using the credentials or make unauthorized purchases using credit card information stored in cookies.

Contrary to what many believe, setting the secure flag does not encrypt the cookie value. All it means is that the cookie will be transmitted over an encrypted (HTTPS) connection. The cookie and its values are themselves stored on the user’s computer in clear text. Any encryption of cookie values must be performed by the website creating the cookie.

Points to remember
It is important for you to understand what information is stored in cookies that you accept from websites. Generally, you should not choose to have websites store authentication credentials, credit card information or any other personal information in cookies.