Nearly anyone that has spent any time on the World Wide Web has heard
of the term "cookie". Many hold the opinion that this little
tool is nothing more than an evil bit of code that destroys any anonymity
for surfers ... or that it might even do worse things. Before we totally
make up our minds about cookies, let's look at them a little closer.
A Big Problem With the Web
One of the biggest problems with designing interactive web sites is
that a visitor's browser will not remember anything from one web page
to the next, let alone from one visit to the next. From a security stand
point this is a good thing, but as far as more complex interaction is
concerned, this is a royal pain. For example, say that you are filling
out a lengthy form online. Instead of making one long scrolling page,
the web designer has divided the form into two smaller, better looking
pages. You fill out the first half of the form and click the link to
the second page. You then complete the rest of the form but it does
you no good because your browser has forgotten all of the information
that you entered on the first page (bummer!).
Enter the Cookie
If the web developer that made the form is savvy, he gave you a cookie
that will remember everything that you entered on the first page. When
you go to the second page and complete the form a script gets the cookie
and adds your data from the first page. When you click the "Submit"
button, the web page sends the information from both pages together.
In essence a cookie allows your browser to remember things.
How Cookies Work
On your computer there is a special folder that is reserved for saving
cookies. Traditionally there are specific rules governing the information
that can be sent to this folder so that you are still protected. Limitations
placed on this folder include things like storage size (4 kilobytes
per cookie), the number of cookies that you can get from the same web
site (20), etc. The sorts of things that are contained in a cookie are
the name of the server (usually associated with the web site where you
got the cookie), any value that was passed to the cookie from the web
site (in our example the value would be the information that you entered
in the first part of the form), an expiration date for the cookie, and
a name assigned to the cookie.
All things considered, web sites that give you a cookie are very limited
by what they can store in your cookie file. Let's break it down:
Sever Name: This is the part that provides a great deal of security.
It keeps one web site from accessing the cookie given to a visitor from
a different web site. It would be very difficult for this web site to
retrieve a cookie given you from some other site, like e-bay. To do
this I would have to trick your computer into thinking that it was on
e-bay. (I might be able to fool a visitor into thinking that they were
on e-bay by making a fake site that looked like e-bay's, but their computer
would know the difference the millisecond that it received the first
packet of data from the server.) It is theoretically possible to do
this kind of swindle, but it would require some fairly complex techniques
and a lot of resources. Even if someone was able to do it they would
be limited to only being able to retrieve the information stored in
the cookie ... and as we will see, this is usually not very much.
The Value: This is the part of the cookie that contains what it is
supposed to remember. It could be something as simple as an account
name or as complex as what pages that you visited while on the site.
But keep in mind that the size allowed cookies dramatically limits what
can be saved here. If that isn't confining enough, the only things that
can really be saved are about the equivalent of a variable's value.
The Name: Basically this is the name of the cookie. It is used to retrieve
the cookie from your cookie list.
The Expiration Date: Just like it says, this bit of information tells
your cookie when it expires. Nobody likes an old stale cookie.
Now that we understand what is in a cookie, let's go over step by step
what happens during the cookie passing process. First, a visitor's browser
loads a site that contains a script that creates a cookie. Whatever
the information is used by the script, it is then saved by the browser
into the cookie file on the visitor's computer. The cookie then is stored
unused until the browser goes to a page on the same web site that has
a script to retrieve the cookie. This script gets the cookie and pulls
out whatever is in the "value" to use it for whatever the
cookie was created for.
To better understand this process let's play with a real cookie.
Below is a form that gives a visitor a "Hacker" name. For this exercise we will use this form
to create a value to store in a cookie.
*Use only upper case characters for the first letter of each name.