Some people are concerned that web servers have the power to write to their local hard disk without their knowing about it. The information written is called a “cookie”. This page attempts to address that topic.
What is a Cookie?
The full cookie specification (RFC 2965) can be found at http://tools.ietf.org/html/rfc2965 if you are interested in studying the subject in detail. To simplify, cookies are small bits of information written to your hard disk by a site you visit. The site that writes the information is basically the only site that can retrieve it (some argue that it is possible to “fake” the request and collect information from cookies saved by other sites; they are possibly correct, but this seems to be rare if done at all).
The name “cookie” comes from the UNIX magic cookie which is a name given to packets of information passed between programs. That name is derived from the Chinese fortune cookie where you have information hidden inside a packet.
The purposes of a cookie are twofold:
- Save information about you to make it easier for you to enter the site in the future.
- Track your actions (for a variety of reasons that might benefit you or the site manager).
As one simple example, consider a newspaper site with a registration requirement (paid or free, it does not matter). Your logon information might be saved in a cookie so that when you return to the site it can query the cookie and save you the trouble of logging in. Further, if you have specific information requirements these can be coded into a cookie and the site can then automatically present you with stories on the specific topics of interest without bothering to ask you again to enter them on future visits.
How are Cookies Stored?
Cookies are stored in different ways with different browsers and operating systems. On a computer running Windows and a Netscape browser you will find them in a file named COOKIES.TXT in the browser directory. Firefox places an SQLite database of cookies into the browser’s profile folder. A Windows user running Internet Explorer will find them as separate files in the WINDOWS\COOKIES directory. In UNIX they are in a single file in your Netscape directory under the name cookies. Finally, on a Macintosh the file is named MagicCookie and is in the Netscape preferences folder. If you look at a cookie you will see a single line that looks something like:
.infoseek.com TRUE/FALSE 869315463 InfoseekUserId 9CC70E7E5772038797334985D8974560
.netscape.com TRUE/FALSE 946713599 NETSCAPE_ID c65ffb1e,c4750133
The start of the cookie generally has the domain name authorized to access that cookie. The second to last column is the name of the cookie and the last column is the cookie itself. The other information is control information that can define the length of time the cookie is valid and such things as if a secure server connection is necessary before the cookie will be sent.
The specification allows up to 300 total cookies with each being up to 4KB long. There can be up to 20 cookies per server or domain. When these limits are exceeded older cookies (particularly those that have expired) are erased. If there are no expired cookies, then older cookies (expired or not) may be erased.
Three major concerns are typically raised:
- “Someone” is writing to your hard drive without your knowing about it.
- Cookies can be used to “steal” valuable information about you.
- Cookies can be used to track you (and thus invade your privacy).
While each of these concerns has some validity (depending largely on how you view personal security and privacy) there is little real concern if you take what one might describe as standard precautions.
In the first instance, many programs write to your hard drive without your knowing about it. There are temporary files, cache files, and any number of related files routinely written to your hard disk during any computing session. If you are worried about it, modern browsers have a “notify” option relating to cookies. Check it and the browser will alert you whenever a cookie is supposed to be written to your hard disk. Because of privacy concerns raised by some people expect all future browsers to also have an option that tells them you never want a cookie recorded (or some alternative where you only accept cookies from defined sites or during a specific browser session). Of course, if you don’t record a cookie, if you revisit the site you will have to go through the registration process all over again. This may or may not be convenient for you.
The second instance is usually described in near-hysterical terms that describe how cookies are going to search your hard drive and send all sorts of vital information to some site or another. Bottom line: This is false. The only information a cookie can send to any site is information you have already provided, including any information you sent in a form or locations you have visited on the site in question (or locations you were directly referred to by links from that site). The cookie specification allows no access outside of the cookie file itself. And, if a site wanted to track your activity it could do so on that site; it would not require cookie technology. Cookies just reduce storage space on the server side since the site does not have to allocate storage space for every possible user; each user allocates a little space for the information on their system in the form of a cookie.
The third (track you) has minor potential for problems under some very unique circumstances. Here is a worst case scenario (that would be difficult to implement). Consider a site which stores advertising banners that many other sites draw from. This same site runs contests for other sites. If that site wants to it can:
- Each time you hit a page with one of those banners on it the storage site checks for cookies it might have sent you in the past and places another. It also records the site you are on plus any info the browser might send (including your current IP address) into its database (at this point all the site knows is the ISP you are logging in from).
- If you now enter one of that site’s contests all the information you provide as part of the contest rules is also stored in the database. The ad banner storage site now knows who you are, what sites you have visited, and what some of your interests are.
- Now take your laptop on a trip. If you are using a national ISP your IP address will likely change because national ISPs generally assign the address dynamically when you log in and the address is based on location. So, when you now hit another advertising banner the ad site suspects you are traveling. (In the extreme, knowing personal information and that you are away from home could be used in many ways, but in practice such coordination would be hardly worth the effort. There are many easier ways of determining if you are home or not.)
Another example of cookie use can be seen on many shopping sites (e.g., Amazon.com for one). When you go to Amazon.com as a prior customer the chances are that Amazon.com will put up a page with your name on it. They remember you via cookies set on your prior visit(s).
As with any other information and technology, cookies have their positive and negative sides. If you are careful in what you provide to any site there seems to be minor danger in allowing cookies to be active on your computer. Cookies or not, however, you need to exercise caution with important information (e.g., credit card numbers). Consider carefully to whom you provide this information in any form. And, be aware that more information that you might care to have collected can be collected on you over time via cookies.