Do Cookies Compromise Security?
Last Updated: 06-24-2010 , Posted: 06-24-2010
Cookies are messages that a Web server transmits to a Web browser so that the Web server can keep track of the user's activity on a specific Web site. The message that the Web server conveys to the browser is in the form of an HTTP header that consists of a text-only string. The text is entered into the memory of the browser. The browser in turn stores the cookie information on the hard drive so when the browser is closed and reopened at a later date the cookie information is still available.
- To collect demographic information about who is visiting the Web site. Sites often use this information to track how often visitors come to the site and how long they remain on the site.
- To personalize the user's experience on the Web site. Cookies can help store personal information about you so that when you return to the site you have a more personalized experience. If you have ever returned to a site and have seen your name mysteriously appear on the screen, it is because on a previous visit you gave your name to the site and it was stored in a cookie so that when you returned you would be greeted with a personal message. A good example of this is the way some online shopping sites will make recommendations to you based on previous purchases. The server keeps track of what you purchase and what items you search for and stores that information in cookies.
Cookies do not act maliciously on computer systems. They are merely text files that can be deleted at any time - they are not plug ins nor are they programs. Cookies cannot be used to spread viruses and they cannot access your hard drive. This does not mean that cookies are not relevant to a user's privacy and anonymity on the Internet. Cookies cannot read your hard drive to find out information about you; however, any personal information that you give to a Web site, including credit card information, will most likely be stored in a cookie unless you have turned off the cookie feature in your browser. In only this way are cookies a threat to privacy. The cookie will only contain information that you freely provide to a Web site.
Cookies have six parameters that can be passed to them:
- The name of the cookie.
- The value of the cookie.
- The expiration date of the cookie - this determines how long the cookie will remain active in your browser.
- The path the cookie is valid for - this sets the URL path the cookie us valid in. Web pages outside of that path cannot use the cookie.
- The domain the cookie is valid for - this takes the path parameter one step further. This makes the cookie accessible to pages on any of the servers when a site uses multiple servers in a domain.
- The need for a secure connection - this indicates that the cookie can only be used under a secure server condition, such as a site using SSL.
Both Netscape and Microsoft Internet Explorer (IE) can be set to reject cookies if the user prefers to use the Internet without enabling cookies to be stored. In Netscape, follow the Edit/Preferences/Advanced menu and in IE, follow the Tools/Internet Options/Security menu to set cookie preferences.