What is a cookie
A cookie is a small piece of data sent by a website and stored in the user's browser, so that the website can consult the user's previous activity.
Its main purposes are:
Keeping track of users: when a user enters their username and password, a cookie is stored so that they do not have to enter them on every page of the server. However, a cookie does not identify only a person, but a combination of computer-browser-user.
Gathering information about the user's browsing habits and spyware attempts by advertising agencies and others. This can cause privacy problems and is one of the reasons why cookies have their detractors.
You can choose to allow, block, or delete cookies installed in your computer by adjusting the settings of the web browser you use.
Cookies are used by Web servers to differentiate users and to operate in a way that depends on the user.
Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media. In 2005, Jupiter Research published the results of a survey, according to which a consistent percentage of respondents believed some of the following claims:
Myth: Cookies are like worms and viruses in that they can erase data from the user's hard disks;
Myth: Cookies are a form of spyware in that they can read personal information stored on the user's computer;
Myth: Cookies generate popups;
Myth: Cookies are used for spamming;
Myth: Cookies are only used for advertising;
Cookies are in fact only data, not program code: they cannot erase or read information from the user's computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc.). More precisely, they cannot contain personal information unless the user has made it available to some sites. Even if anonymous, these profiles have been the subject of some privacy concerns.
According to the same survey, a large percentage of Internet users do not know how to delete cookies.
Most modern browsers support cookies. However, a user can usually also choose whether cookies should be used or not. The browser may also include the possibility of better specifying which cookies have to be accepted or not. In particular, the user can typically choose one or more of the following options: reject cookies from specific domains; disallow third-party cookies; accept cookies as non-persistent (expiring when the browser is closed); and allow a server to set cookies for a different domain. Additionally, browsers may also allow users to view and delete individual cookies.
Cookies have some important implications on the privacy and anonymity of Web users. While cookies are only sent to the server setting them or one in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies. Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
The possibility of building a profile of users is a privacy threat, even when tracking is done on a single domain, but especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
However, this article also states that storing data that is necessary for technical reasons is exempted from this rule.
Besides privacy concerns, there are other reasons why cookies have been opposed: they do not always accurately identify users and they can be used for security attacks.
If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence, cookies do not identify a person, but a combination of a user account, a computer, and a web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.
During normal operation, cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible from other computers. However, cookies sent on ordinary HTTP sessions are visible to all users who can listen in on the network using a packet sniffer. Therefore, these cookies should not contain sensitive information. This problem can be overcome by using the https URI scheme, which invokes Transport Layer Security to encrypt the connection.Cross-site scripting makes the browser itself to send cookies to servers that should not receive them. Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. The process allowing an unauthorised party to receive a cookie is called cookie theft, and encryption does not help against this attack. This possibility is typically exploited by attackers on sites that allow users to post HTML content. By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognised as the user whose cookies have been stolen.
While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.
Most websites, however, only store a session identifier — a randomly generated unique number used to identify the user's session — in the cookie itself, while all the other information is stored on the server. In this case, the problem of cookie poisoning is largely eliminated.
Each site is supposed to have its own cookies, so a site like evil.net should not be able to alter or set cookies for another site, like good.net. Cross-site cooking vulnerabilities in web browsers allow malicious sites to break this rule. This is similar to cookie poisoning, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. The goal of such attacks may be to perform session fixation (finding another person’s valid user session).