Palisade Magazine
 
March 2007

Back to Basics: Internet Cookies

by Jose Varghese, CISSP, GSEC, GCIH, CBCP, BS7799 LA |  Discuss this article »» (3)
Internet Cookies

Continuing with our Back to Basics series, we’ll discuss about internet cookies. Cookies are generally used by web sites to track users’ personal preferences so that personalized content can be served to the user. In the first part, we had covered Caching.

What is a cookie?

Cookies are name-value (e.g. country=India) pairs generated by web-server and stored on the client. Once the cookie is stored on the client, the client browser automatically submits this name-value pair every time the user goes to the same site.

Why do website use cookies ?

Cookies are generally used for tracking personal preferences of the user. These preferences can be used by the web server to serve personalized content to the user. E-commerce applications,like Internet Banking, use cookies for exchanging session-ID information between user’s browser and e-commerce server.

Are cookies mandatory or optional?

Usage of cookie is optional. Website developer can choose to have cookies or not.

Who creates the cookies - the client or web server ?

Web servers creates the cookies and sends it to client browser.

How are cookies transmitted between servers and clients ?

Cookies are generated by web server and sent to the client as part of the HTTP response header.In the example below google is setting a cookie which has multiple name value pairs.

After clearing my existing cookies , I give a HTTP request for www.google.co.in. Attached herewith is the HTTP-Request and Response. The Set-cookie header in the response is where the google server is setting a new cookie.

HTTP Request

GET / HTTP/1.0
Host: www.google.co.in

HTTP Response

HTTP/1.0 200 OK
Content-Type: text/html;
Set-Cookie:PREF=a5353f33dadae6b4:TM=1172488580:LM=1172488580 \
:S=-tN_hXmrGjyfGFq4;expires=Sun, 17-Jan-2038 19:14:07 GMT;   \
path=/; domain=.google.com

 Are all cookies stored on client hard disk?

There are two types of cookies - persistent and non-persistent. Only persistent cookies are stored. For example the google cookie as shown in earlier example is a persistent cookie and my browser [ MS Internet Explorer] has stored this as text file in the C:\Documents and Settings\<username>\cookies folder. The file name is <username>@google.com. Mozilla Firefox does not have separate files for different cookies. All cookies for a particular user are stored in one file “cookies.txt”at C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<username>.profile

Non-persistent cookies are stored in RAM and they get removed when the browser window instance is closed.

What does the other attributes that are set in “Set-Cookie” mean ?

Only Name=value is mandatory. All the other attributes discussed here are optional.

Expires - specifies that this is a persistent cookie and will be stored on the hard disk till 17-Jan-2038.If there is no no Expires- setting in the Set-Cookie header, then it means this is a non-persistent cookie.

Path = / specifies that this cookie will be sent if the user visits any page or subdirectory under google.co.in . This is also called “Tail Matching”. For example if I browsing http://google.com/news or http://google.com/sports/baseball , this persistent cookie will be sent.

Domain =True.You cannot see this in the Set-Cookie HTTP Response header. This is enabled by the browser depending on the value set in domain. If there is a leading DOT, then it is set to TRUE if not set to False.TRUE means this cookie will be sent if the user visits any sub domain google.co.in . For example if I browsing http://images.google.com/ or http://local.google.com/, this persistent cookie will be sent.

Can a web server set unlimited number of cookies on the client?

There are limitations on the number of cookies that a client can store at any one time.Client can store a maximum of 300 cookies, 4 kilobytes per cookie and 20 cookies per server or domain.

Servers should not expect clients to be able to exceed these limits. When the 300 cookie limit or the 20 cookie per server limit is exceeded, clients should delete the least recently used cookie.

How is cookie stored at the desktop?

Cookie are stored as text files. There are persistent cookies and non-persistent cookies. Persistent cookies are stored in the hard disk of the user while non-persistent are stored in the memory. They vanish when the browser windows is closed.

MS Internet Explorer stores it in C:\Documents and Settings\<username>\cookies folder. Each persistent cookie is a separate file.

Mozilla Firefox stores all persistent cookies in a single file in C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<username>.default

Do cookies also get stored in caches?

Cookies can be cached by the intermediate caches including Proxy server. The web server should set the appropriate cache-control parameters to decide the caching. To enable caching of page but not the cookie the web server can use this setting: Cache-control: no-cache="set-cookie"

Is the cookie lifetime determined by the clients browser or website developer?

The cookie lifetime(for persistent cookies) is determined by the web server at the time of setting the cookie. In the previous example google sets a cookie on my desktop which will be present on my harddisk till 17-Jan-2038.

Set-Cookie:PREF=a5353f33dadae6b4:TM=1172488580:LM=1172488580:S=-tN_hXmrGjyfGFq4;expires=Sun, 17-Jan-2038 19:14:07 GMT

Can I open a sample cookie stored in my desktop?

Cookies are simple text files. You can open them using any text editor.notepad or textpad.

Can a citibank.com page [ or a script running within that] read the bankofamerica.com cookie ?

The web server does not have any control over retrieving the cookies. The browser automatically retreives all cookies which have been set by the particular server. Whenever I visit www.google.com all the cookies that have been set by www.google.com are resubmitted along with the HTTP request. These cookies will NOT be sent to any other server other than www.google.com

HTTP Request

GET /search?hl=en&q=CRICKET HTTP/1.0
Host: www.google.co.in
Cookie: PREF=ID=a5353f33dadae6b4:TM=1172488580 \
:LM=1172488580:S=-tN_hXmrGjyfGFq4

Can I have cookies which can only be transmitted over SSL?

By setting the SecureFlag= True in the Set-Cookie header the web server can restrict the transmission of cookies only over a SSL connection. This is very relevant for cookies used by Ecommerce applications like Internet banking where cookies store sensitive information like session-id.

Is there any RFC related to cookies?

http://www.ietf.org/rfc/rfc2965.txt

Discussion is open for this article — there are 3 reader comments. Add yours.