- What are cookies?
- How do cookies work?
- Why are cookies useful?
- What kind of client-side information can Web servers store?
- Can cookies read information from a user's hard drive?
- Can cookies be used to gather sensitive information, such as a user's email address?
- Where are cookies stored?
- Can programmers save client state information without cookies?
- How long do cookies last?
- Can malicious sites read cookie information used by another site?
- Can cookies be encrypted?
- What products support cookies?
- Are cookies being presented for standardization to a standards body?
What are cookies?
Cookies are a standard mechanism that allows a Web site (or server) to deliver simple
data to a client (or end user); request that the client store the information; and, in
certain circumstances, return the information to the Web site. Cookies are a way of storing persistent client data so that a site can maintain information
on a user across HTTP connections. ("Persistent" means that the information from the Web site lasts longer than the immediate connection.)
How do cookies work?
Cookies are small data structures delivered by a Web site to a Web client. The Web site may deliver one or more cookies to the client. The client
stores cookie data on its local hard drive. In certain cases (determined
by the data in the cookie itself), the client returns the cookie to the
server that originally delivered it.
Why are cookies useful?
Cookies allow Web sites to maintain information on a particular user
across HTTP connections. The current HTTP protocol is stateless, meaning that the server does not store any information about a particular
HTTP transaction; each connection is "fresh" and has no knowledge
of any other HTTP transaction. "State" information is information about a
communication between a user and a server, similar in many ways to frequent
flyer profiles or option settings in desktop software. (For example,
a preference for aisle or window seats is cookielike information that
a frequent-flyer program might store about one of its customers.) In some cases it is useful to maintain
state information about the user across HTTP transactions.
What kind of client-side information can Web servers store?
Cookies can be used to store information about a user that either the user
or the Web site provides. Some scenarios include the following:
- Alice is shopping at a particular Web site that uses a shopping
cart metaphor. She puts items into a shopping cart by clicking a link or an "Add to Shopping Cart" button. Cookies can be
used to store the contents of Alice's shopping cart so that she can conveniently
purchase a cart full of items rather than one item at a time.
- Bob clicks around a Web site that allows users to view articles
for a small charge. Cookies can be used to store information about which
articles he has viewed (that is, a list of URLs) so that he can pay for
them all at once rather than each time he downloads an article.
- Carl fills out a Web form with his name, address, and other information.
Cookies can be used to store this information so that the next time Carl
visits the site, the information is automatically uploaded and he doesn't have to provide it again. If the form contains sensitive
information such as a credit card number or a mailing address, the cookies
can be delivered over Secure Sockets Layer, which encrypts the information
as it travels between the client and server.
- Don logs in to a Web site that requires a user name and password. When
Don's user name and password pair is successfully verified, the server passes
down a cookie that functions as a "guest, pass" allowing him access
to certain areas of the Web site. After a set time period, perhaps half
an hour or a day, the guest pass expires and Don must
log in again.
In each of these examples there are only two ways to store data: either
the server provides it (as in the last example) or the user provides it by taking some action (such as clicking a link or button or filling out a form).
Can cookies read information from a user's hard drive?
No. Cookies can only store data that is provided by the server or generated
by an explicit user action.
Can cookies be used to gather sensitive information, such as a user's
Cookies cannot be used to gather sensitive information such as the fields
in a Netscape preference file. They can be used to store any information
that the user volunteers, for example by filling out an HTML form. In
this case, however, the same information can just as easily (and with potentially
more objectionable privacy concerns) be stored on the server by using a simple
server-side application that stores user information in a database. Cookies
are passive data structures that are delivered to the client, stored on
the client's hard drive, and returned in certain situations to the same
server that provided the information in the first place.
Where are cookies stored?
Cookie data is stored on the user's hard drive (although during actual communication it is stored in memory). The filename is different
for each platform. For example, on Windows machines, cookie data is stored
in a file called COOKIE.TXT.
Can programmers save client state information without cookies?
Yes. Client state information can be stored in several ways. For example, server administrators
and programmers can create a database application that tracks and stores data they would otherwise have managed with cookies. Cookies
are simply a programming convenience.
How long do cookies last?
A Web site may set an expiration date for a cookie it delivers. If no expiration date is specified, the cookie is deleted when the user quits Netscape Navigator.
Can malicious sites read cookie information used by another site?
Cookies are designed to be read only by the site that provides them, not
by other sites.
Can cookies be encrypted?
Yes. Programmers can require that cookies be delivered and received only
in the context of a Secure Sockets Layer (SSL) session. The SSL session handles the actual encryption of cookie data.
What products support cookies?
Netscape Navigator has supported cookies since version 1.1. Internet client products from Spyglass and Microsoft also support cookies.
Are cookies being presented for standardization to a standards body?
Yes. The State Management subworking group of the Internet Engineering
Task Force's HTTP Working Group is currently working on creating a formal
Internet draft for a cookie specification.