Because they can be used for tracking browsing behavior, cookies have been of concern for Internet privacy. As a result, they have been subject to legislation in various countries such as the United States, as well as the European Union. Cookies have also been criticized because the identification of users they provide is not always accurate and because they could potentially be a target of network attackers. Some alternatives to cookies exist, but each has its own uses, advantages, and drawbacks.
Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. In particular, they are neither spyware nor viruses, although cookies from certain sites are described as spyware by many anti-spyware products because they allow users to be tracked when they visit various sites.
Most modern browsers allow users to decide whether to accept cookies, but rejection makes some websites unusable. For example, shopping carts implemented using cookies do not work if cookies are rejected.
Cookies are also used to track users across a website. Third-party cookies and Web bugs, explained below, also allow for tracking across multiple sites. Tracking within a site is typically done with the aim of producing usage statistics, while tracking across sites is typically used by advertising companies to produce anonymous user profiles, which are then used to target advertising (deciding which advertising image to show) based on the user profile.
Cookie specifications suggest that browsers should support a minimal number of cookies or amount of memory for storing them. In particular, an internet browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.
Relevant count of maximum stored cookies per domain for the major browsers are:
In practice cookies must be smaller than 4 kilobytes. Internet Explorer imposes a 4KB total for all cookies stored in a given domain.
Cookie names are case insensitive according to section 3.1 of RFC 2965
The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser. As a result, specifying a date is a way for making a cookie survive across sessions. For this reason, cookies with an expiration date are called persistent. As an example application, a shopping site can use persistent cookies to store the items users have placed in their basket. (In reality, the cookie may refer to an entry in a database stored at the shopping site, not on your computer.) This way, if users quit their browser without making a purchase and return later, they still find the same items in the basket so they do not have to look for these items again. If these cookies were not given an expiration date, they would expire when the browser is closed, and the information about the basket content would be lost.
Cookies can also be limited in scope to a specific domain, subdomain or path on the web server which created them.
Cookies are in fact only data, not program code: they cannot erase or read information from the user's computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc.) More precisely, they cannot contain personal information unless the user has made it available to some sites. Even if anonymous, these profiles have been the subject of some privacy concerns.
According to the same survey, a large percentage of Internet users do not know how to delete cookies.
in the browser URL field. Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.
Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.
The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single domain but especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers for ten years. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them. On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.
Many web browsers including Apple's Safari and Microsoft Internet Explorer versions 6 and 7 support P3P which allows the web browser to determine whether to allow 3rd party cookies to be stored. The Opera web browser allows users to refuse third-party cookies and to create global and specific security profiles for Internet domains. Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.
Likewise, cookies do not differentiate between multiple users who share a computer and browser, if they do not use different user accounts.
During normal operation cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible to other computers. Cookie theft is the act of intercepting cookies by an unauthorized party.
Cookies can be stolen via packet sniffing in an attack called session hijacking. Traffic on a network can be intercepted and read by computers on the network other than its sender and its receiver (particularly on unencrypted public Wi-Fi networks). This traffic includes cookies sent on ordinary unencrypted  sessions. Where network traffic is not encrypted, malicious users can therefore read the communications of other users on the network, including their cookies, using programs called packet sniffers.
This issue can be overcome by securing the communication between the user's computer and the server by employing Transport Layer Security ( protocol) to encrypt the connection. A server can specify the secure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection.
However a large number of websites, although using secure  communication for user authentication (i.e. the login page), subsequently send session cookies and other data over ordinary unencrypted  connections for performance reasons. Attackers can therefore easily intercept the cookies of other users and impersonate them on the relevant websites or use them in a cookiemonster attack.
A different way to steal cookies is cross-site scripting and making the browser itself send cookies to servers that should not receive them. Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. Encrypting cookies before sending them on the network does not help against this attack.
This type of cross-site scripting is typically exploited by attackers on sites that allow users to post HTML content. By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognised as the user whose cookies have been stolen.
A way for preventing such attacks is by the HttpOnly flag; this is an option, first introduced by Microsoft and implemented in PHP since version 5.20 that is intended to make a cookie inaccessible to client side script. However, web developers should consider developing their websites so that they are immune to cross-site scripting.
Most websites, however, only store a session identifier — a randomly generated unique number used to identify the user's session — in the cookie itself, while all the other information is stored on the server. In this case, the problem of cookie poisoning is largely eliminated.
Users are advised to use the more recent versions of web browsers in which such issue is mitigated.
However, these addresses are typically less reliable in identifying a user than cookies because computers and proxies may be shared by several users, and the same computer may be assigned different Internet addresses in different work sessions (this is often the case for dial-up connections). The reliability of this technique can be improved by using another feature of the HTTP protocol: when a browser requests a page because the user has followed a link, the request that is sent to the server contains the URL of the page where the link is located. If the server stores these URLs, the path of page viewed by the user can be tracked more precisely. However, these traces are less reliable than the ones provided by cookies, as several users may access the same page from the same computer, NAT router, or proxy and then follow two different links. Moreover, this technique only allows tracking and cannot replace cookies in their other uses.
Tracking by IP address can be impossible with some systems that are used to retain Internet anonymity, such as Tor. With such systems, not only could one browser carry multiple addresses throughout a session, but multiple users could appear to be coming from the same IP address, thus making IP address use for tracking wholly unreliable.
Some major ISPs, including AOL, route all web traffic through a small number of proxies which makes this scheme particularly unworkable.
This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.
Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well.
Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.
Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.
This approach presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source and POST input rather than in the URL means it will not be noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example). A drawback of this technique is that session information is in the HTML code; therefore, each web page must be generated dynamically each time someone requests it, placing an additional workload on the web server.
The downside is that every separate window or tab will initially have an empty window.name; in times of tabbed browsing this means that individually opened tabs (initiation by user) will not have a window name. Furthermore window.name can be used for tracking visitors across different web sites, making it of concern for Internet privacy.
The major drawback with this approach is the same as every platform/vendor-specific approach: it breaks the web's global accessibility and interoperability, tying up web development to a specific client's platform, excluding users who use standards-compliant web user agents and instead forcing them to use platform/vendor-specific web agents, which propitiates vendor lock-in.
. The first time this page is loaded, the program
example.jsis loaded as well. At this point, the program remains cached and is not reloaded the second time the page is visited. As a result, if this program contains a statement such as
The introduction of cookies was not widely known to the public, at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. Some people were aware of the existence of cookies as early as the first quarter of 1995, but the general public learned about them after the Financial Times published an article about them on February 12, 1996. In the same year, cookies received lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing a state in an HTTP transactions had been proposed by Brian Behlendorf and David Kristol, respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. On February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was followed by RFC 2965 in October 2000.
The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:
Set-cookie is only sent if the server wishes the browser to store a cookie. Set-cookie is a request for the browser to store the string
name=value and send it back in all future requests to the server. If the browser supports cookies and cookies are enabled, every subsequent page request to the same server contains the cookie. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:
This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.
The value of a cookie can be modified by the server by sending a new
Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.
The term "cookie crumb" is sometimes used to refer to the name-value pair. This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique may however be implemented using cookies.
Set-Cookie line is typically not created by the HTTP server itself but by a CGI program. The HTTP server only sends the result of the program (a document preceded by the header containing the cookies) to the browser.
document.cookie is used for this purpose. For example, the instruction
document.cookie = "temperature=20" creates a cookie of name
temperature and value
name=newvaluepair and are separated by semicolons. For example, a cookie can be created by the server by sending a line
Set-Cookie: name=newvalue; expires=date; path=/; domain=.example.org.
The domain and path tell the browser that the cookie has to be sent back to the server when requesting URLs of a given domain and path. If not specified, they default to the domain and path of the object that was requested. As a result, the domain and path strings may tell the browser to send the cookie when it normally would not. For security reasons, the cookie is accepted only if the server is a member of the domain specified by the domain string.
Cookies are actually identified by the triple name/domain/path, not only the name (the original Netscape specification considers only the pair name/path). In other words, same name but different domains or paths identify different cookies with possibly different values. As a result, cookie values are changed only if a new value is given for the same name, domain, and path.
The expiration date tells the browser when to delete the cookie. If no expiration date is provided, the cookie is deleted at the end of the user session, that is, when the user quits the browser. As a result, specifying an expiration date is a means for making cookies to survive across browser sessions. For this reason, cookies that have an expiration date are called persistent.
The expiration date is specified in the "Wdy, DD-Mon-YYYY HH:MM:SS GMT" format. As an example, the following is a cookie sent by a Web server (the value string has been changed):
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net
The name of this particular cookie is
RMID, while its value is the string
732423sdfs73242. The server can use an arbitrary string as the value of a cookie. The server may collapse the value of a number of variables in a single string, like for example
a=12&b=abcd&c=32. The path and domain strings
.example.net tell the browser to send the cookie when requesting an arbitrary page of the domain
.example.net, with an arbitrary path.
The third condition allows a server or script to explicitly delete a cookie. Note that the browser doesn't send to the server information about cookie lifetime, so there is no way for the server to check if the cookie expires soon.
This is the method commonly used by many sites that allow logging in, such as Yahoo!, Wikipedia, and Facebook. (See "Cookie Theft" and "Cookie Expiration" sections of this article for security concerns around this mechanism)
If a user was authenticated using the technique above, when they request a page the server is also sent the cookie associated with the user. It can therefore adapt the requested page to the stored user preferences. When authentication is not used, the user preferences are stored in a cookie. Users select their preferences by entering them in a Web form and submitting it to the server. The server encodes them in a cookie and sends it back to the browser. This way, every time the user accesses a page, the server is also sent the cookie where the preferences are stored, and can personalise the page according to the user preferences.
For example, Google stores the user preferences in a cookie of name
PREF. This cookie is created with default values when the user accesses the site for the first time. For example, the cookie value contains the string
NR=10, that indicates a default preference of ten hits displayed in each page. If the user changes this number to 20 in the preference page, the server modifies the cookie with
NR=20. Every time the user queries the search engine, the cookie is sent to the server along with the query. This way, the server knows how many hits should be shown in each page.
By looking at the log file, it is then possible to find out which pages, and in which sequence, the user has visited. For example, if the log contains some requests done using the cookie
id=dfhsiw, these requests all come from the same user. The URL and time/date stored with the cookie allows finding out which pages the user has visited, and at which time.
This condition is common with on-line advertisement. Indeed, web banners are typically stored in servers of the advertising company, which are not in the domain of the Web pages showing them. If third-party cookies are not rejected by the browser, an advertising company can track a user across the sites where it has placed a banner. In particular, whenever a user views a page containing a banner, the browser retrieves the banner from a server of the advertising company. If this server has previously set a cookie, the browser sends it back, allowing the advertising company to link this access with the previous one. By choosing a unique banner URL for every Web page where it is placed or by using the HTTP referer field, the advertising company can then find out which pages the user has viewed. The same technique can be used with web bugs. These, unlike the obvious banners, are images embedded in the Web page that are undetectable by the user (e.g. they are tiny and/or transparent)
Third-party cookies are used to create an anonymous profile of the user. This allows the advertising company to select the banner to show to a user based on the user's profile. The advertising industry has denied any other use of these profiles.
Many modern browsers, such as Mozilla Firefox, Internet Explorer and Opera block third party cookies if requested by the user. Internet Explorer version 6 allows a mild form of blocking, called leashing. A leashed cookie is a third-party cookie that is sent by the browser only when accessing a third-party document via the same first-party. For example, if
third.com sets a cookie when an image is requested, and this cookie is set for the first time when the user views a document from
first.com, the same cookie is not sent if the user downloads a document that contains the same image but the document is on another site
other.com, if the cookie is leashed. A leashed cookie is different from a blocked cookie in that it is sent, in this example, if the image is contained in another document from the same site
This is a very insecure mechanism, because a malicious user can alter the cookie; a much more secure mechanism is to generate a random cookie as under "tracking", and using that as a lookup key in a database stored on the server.
As an example, an attacker running the domain
example.com may post a comment containing the following link to a popular blog they do not otherwise control:
When another user clicks on this link, the browser executes the piece of code within the
onclick attribute, thus replacing the string
document.cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the
example.com server, and the attacker is then able to collect the cookies of other users.
This type of attack is difficult to detect on the user side because the script is coming from the same domain that has set the cookie, and the operation of sending the value appears to be authorised by this domain. It is usually considered the responsibility of the administrators running sites where users can post to disallow the posting of such malicious code.
Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net; HttpOnly
When the browser receives such a cookie, it is supposed to use it as usual in the following HTTP exchanges, but not to make it visible to client-side scripts. The `HttpOnly` flag is not part of any standard, and is not implemented in all browsers. Note that there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest. .