Cookies

Difficulty level:
Information for:
                     
surfer
"John Doe"layman
expert
[ Rel. 2 ]
 
web-master

[ Language ] :: [ Main Index ] :: [ Site Navigation ] :: [ Tutorials ] :: [ Downloads ] :: [ Contact ]

 

This short article tries to explain in popular way what the cookies are. I have got a few e-mails about this. Thanks for them. As I understood, the writers were just curious about this “black magic” technology. We will walk from principle of operation, through anatomy, to playground where you can freely experiment.

 


There is no content, because you must read a whole tutorial from beginning to end to get a quick preview necessary for understand the text.

When you are not sure, how to set your browser to accept cookies please continue here for short explanation (MS-IE, Opera). Here are a few additional details.


This page and its two descendand will send a cookie to your computer! I will use it only as counter memory for demonstration.

Because this page as well as whole domain is advertisimment free, it is impossible to reach it for other sites. If you see this page is loaded into frame of some external domain, please download a whole archive and read this tutorial off-line.

[ Reloaded page - Next Reload ]


 

Why the cookies?

According to their inventor Netscape, the cookies are “a string array of labeled data saved (on local computer) by web-page and assign to concrete web-locality”. The idea behind its design is to make a user-friendly access to mail servers. In concrete, to design single-only validation: once your authorization is approved, you will be asked no more for login as long as you are on your mail-box. No matter, what you will be open or doing there. It spares time and also traffic volume.

For sure you know, how military watches recognize friends, neutrals and enemies. The watch will scream “bulldog” and friend knows that correct answer is “chow - chow”. When the watch will heard something else, it will become to be very serious and dangerous situation. Something similar has been planned also for mail servers. Computers agreed on some kind of provocation - reaction process after successful login. And because only they two knows the details conversion could be private. E.g. when server said a pair number, computer should return its half; when odd, computer should multiple it by 16.

This has been probably realized, but I am not quite sure if it has been ever supported. I mean on mail servers – this kind of authorization is normally used at small networks.


Principle of operation

Cookies expand this basic idea. Those labeled data are data which has been enter by user on the very first attempt to the site. They are stored together with information about that domain and about time-interval of their validity. When user will surf to that site again – next day, or after week – the cookies will be checked. When concrete cookie exist and is still valid, the data will be automatically send to server. In this way, server will know that you are legal user and it will not bore you with authorization procedure.

If the cookie is not valid, it will be erased by browser. Erased: it will not be transfer to Recycle Bin as during normal Delete, but also it will not be wiped-out! You can usually restore them with special software, like freeware Restoration or Norton Undelete of Norton Utilities. Even from NTFS partition. And because the cookie is deleted before page load, you will be of course prompted for re-entering data.

However, most of servers goes further. They will not store to cookies only the data entered by user. They will store also their own variables, which are defined by programmer at JavaScript somewhere on page source-code. And later their use these variables for their own purpose. And believe me, imagination knows no limits. This one solution has two concrete purposes: shopping servers - the cookie is your basket, and personal portals - the cookie is your desktop's description and configuration.

What else is sent from your computer? Beside of an usual information, i.e. your IP address and browser and operating system identification - nothing else. Cookie is just a text - a memory cell for concrete site. It is not an executable code! It is accessible only for site (server, domain) which create it - no other domain can reach an information inside foreign cookie. There is no possibility to create a script which can grab your name, e-mail, credict card number or anyrhing else from your computer.

Once the cookie has been created by some site, its copy is send by browser to server every time, you request something from this site. Thus, the server knows where have you been so it can cooperate with you. The most important is "where" - it will not knows what did you done there, unless you declare it. This is behind the most famous controversy: your browsing preferences. Because advert domain is (almost always) different than shopping domain, it can know that you have visited this and that page on this and that shop. But it will not know what really you buy, how have you paid for shopping and any other detail.


"The vulnerability of damage or snooping by using assessment web browser cookies is essentially nonexistent."

U.S. Department of Energy :: Computer Incident Advisory Capability :: I-034 Internet Cookies report resumé.


I believe, you can answer yourself the common questions. Is it safe to leave cookies after session? Is it convenient to me not delete them? By my personal opinion, you should left cookies only at your home computer. You should always delete cookies at your work and definitely at internet-café. This is the only thing worth to be worry about with cookies - that someone else will pass-off to you, because you left a valid cookies for mail server, or shopping centre, or some members section.

The browsers settings of handling cookies are detailed described at My browser does not understand me ... why?“. Click here for Microsoft Internet Explorer settings, or here for Opera settings. Or scrool a little bit down.

There is one myth, which can not let sleep the most paranoid members of all human rights movements. Is it really true, that cookies can be read only by domain they are assign? Cannot they be sent also to some advert servers? There is always such possibility - but it is a crack of browser! I saw a few articles with long discussions which say that it is possible on Microsoft Windows. To be strict - that this is possible without using an external application! However, none of these articles present some verified data. Honestly, I do not be surprised if there is really some way because Microsoft Internet Explorer is an integral part of system.

If you are curious about internet privacy, surf to www.proxyblind.org. You will find them a lot of excellent articles and freeware tools for keeping your anonymity. Other source worth for reading is an official domain of European Parliament Committee Echelon at www.europarl.eu.int/committees/echelon_home.htm. It works at 2000 and 2001 and its task has been to research the real interception capabilities of National Security Agency (USA) because of a few strange business accidental causalities, like Airbus vs. Boeing, NEC vs. AT&T, Enercon vs. Kennetech, or Thompson-CSF vs. Raytheon. I suppose you to start with Duncan Campbell’s article Interception Capabilities – it can be found also at http://duncan.gn.apc.org/stoa_cover.htm. Both materials are considered on e-mails and encryption schemas, but some information about cookies and IP addresses can be found there, also.

Please see also Cookies' Myths section and Links, added at release 2 of this tutorial.

 

Microsoft Internet Explorer :: Cookies' Settings

Countless time I have been called to set-up cookies - task, which suddenly turns into restoring all general security setup. Cookies can be set at Micorosoft Internet Explorer :: Tools > Properties :: (third tab) Privacy! Do not enter, or change settings at second tab titled as Security! It is not necessary to go in there for changing cookies' security level! You should delete cookies after you finish with your internet session - definitelly, if you have not a NTFS hard disk. Interesting, that Microsoft Internet Explorer does not offer deleting cookies automatically - you must do it handly at first tab General - but, has set for default deleting files from Temporary Internet Directory ... see picture 2.

There are a five levels for choose from. Description is very detailed, however no combination allowed. Just for explanation, by word "own" you should understand server from where the displayed page come from. By word "foreign" they mean a cookies sent by external page from different domain linked into one of frame. Sometimes they are called as "third-party". That cookies are almost always used as identification from where (what URL) are you really come from.

Cookies are to being set at this tab ...
and not at this!

Picture 1: Microsoft Internet Explorer :: Tools > Properties tabbed dialog box - cookies settings.
Ignore a misstyped error at word "cookies" in left window.
Click on pictures to see them on their full - size. Or [ here for left ] one and [ here for right ] one.

 

Temporary Internet Files can be deleted automaticly ...
but cookies, can not. ~comment skipped~

Picture 2: Microsoft Internet Explorer :: Tools > Properties tabbed dialog box.
Click on pictures to see them on their full - size. Or [ here for left ] one and [ here for right ] one.

When I start with Security options - specially , when you are a home-user connected through 56k modem - always look at what dialog are you clicking on and what you allows to install. No matter if ActiveX element, plug-in or dialer-program.

There has been one special program - you can find it even now but with different design - which offers a free access to one of biggest and oldest adult-oriented portal. It is a dialer, but very smart. When you install it for the first time, it silence volume, force its window to be centered and on top, disconnect you and connect you again through international calls through Kiribati (islands at Pacific). So, if you has a modem-card, you will not heard and see that you are disconnecting. Application itself use a few techniques, which confuse third-party-content servers and convince them, that you are really accessing from members area. Well, it works. And you can be sure, that membership is cheaper than even a one-hour-phone-bill for this connection!

When you hear that modem beeps and should not or see that leds/icon blinks, disconnect cable immediatelly - throw it away from socket at modem, if necessary.

[ Return to the Top of document ]

 

Opera :: Cookies' Settings

Picture 3: Opera 7 :: File > Preferencies list dialog box.
Click on picture to see it on its full - size.

Cookies can be set at Preferences dialog at Privacy tab. Options are by my opinion much more understable that those at Microsoft Internet Explorer. Quickly you can dissable all cookies throgh File > Quick Preferences :: Enable cookies, or by pressing F12 key. You can also set deleting new cookies automatically. I recommend you to Accept all cookies, but Do not accept a third party cookies as the most reasonable settings. You should check on both warnings, if the risk level seem to you be so high. If you meet a problems on framed sites, you must accept all cookies - even a third-party, and you should list them. Third-party cookies are then probably used as additional information from which URL you really come from.

Please look definitelly at Opera's Help. There is a document called Privacy (you can access it quickly through Contents at Link bar) with detailed description of the settings and a few external links about security.

Do not ever try to edit cookie?.* files ay Opera's directory!
If you want to browse through Opera cookies, please use a Opera 4 File Explorer by Josef W. Segur. You can download this util from Joe's Slim Software page (
http://users.westelcom.com/jsegur/)

Most of tricks - such as ActiveX elements or browser plug-ins - are not allowed at Opera. However, you can still download and install a dialer!

[ Return to the Top of document ]


The cookie anatomy

Back to cookies. At first, I have to apologize and make the admission: I have already sent to you one cookie. I will use it as counter, nothing else. You can play here – between lines. If the counter does not change, you have prohibited to accept cookies. Please set your settings accordingly – read the details here if you have any doubts!


Reload the page / Reset counter


When you click on reload, the page will scrool to its beginning. So you must scrool back to see updated value. If it is boring to you, open this page: it use the same script. When you choose the reset, the text size and consequently layout can disort.

The cookie is valid for 5 minutes only. So you can also test that cookie really will be erased by browser. But you must close a page. What do you think - what else can be counted?

The cookie itself can be found at miscellaneous directories. If you are using Microsoft Windows XP and Microsoft Internet Explorer your cookies are at directory C:\Documents and Settings\[current-user]\Cookies. Microsoft Windows 98 uses a subdirectory C:\Windows\Cookies\, or if missed, the Temporary Internet Files directory. Its extension should be “.txt” and its file-name will contains domain, which created it. Opera as well as AOL/Netscape uses a single file called cookie?.*. Last character is usually '4', extension ('*') could be .dat or .txt. Other possibility is its cache – however, I doubt. More about Temporary Internet Files directory I wrote at tutorial "Surfer’s Basics". As I wrote, do not ever try to edit this file! If you need to browse or maintain any Opera's inner files, please use Opera 4 File Explorer.

When you open the cookie I have had send to you, you should see something like this:

VisitCnt
2
~~local~~/F:\Marian\Work\Ntta-szm-Add\Cookies\
1088
3753989632
29644508
754599632
29644508
*

And here is its hexadecimal dump:

00000000:56 69 73 69 74 43 6E 74 0A|32 0A 7E 7E 6C 6F 63|VisitCnt°2°~~loc
00000010:61 6C 7E 7E 2F 46 3A 5C 4D|61 72 69 61 6E 5C 57|al~~/F:\Marian\W
00000020:6F 72 6B 5C 4E 74 74 61 2D|73 7A 6D 2D 41 64 64|ork\Ntta-szm-Add
00000030:5C 43 6F 6F 6B 69 65 73 5C|0A 31 30 38 38 0A 33|\Cookies\°1088°3
00000040:37 35 33 39 38 39 36 33 32|0A 32 39 36 34 34 35|753989632°296445
00000050:30 38 0A 37 35 34 35 39 39|36 33 32 0A 32 39 36|08°754599632°296
00000060:34 34 35 30 38 0A 2A 0A

Please note, that end of line is at UNIX style – only LF, or $0A in hexadecimal – is used. Microsoft’s operating systems use combination of LF/CR ($0A0D). They also usually finish the text file with character Esc ($1B). UNIX does not add this one. You should remember it, if you ever want to edit cookies. The standard Notepad is not the best chooice - better use e.g. ConTEXT, or TextPad.

As you can see, in fact, the cookie is just variable defined by programmer. Every cookie has six exact parts:

1. variable name
2. variable value
3. server domain
4. server directory structure
5. https protocol request
6. validity date

In this one example, there is only one variable: VisitCnt and its value is 2. If there are more variables, the mentioned six parts must be repeated for every single one. This situation is shown here (variable VistCnt has value 15 and second variable Dummy1 has value 2):

VisitCnt
15
~~local~~/F:\Marian\Work\Ntta-szm-Add\Cookies\
1088
803785088
29649547
197586672
29644518
*
Dummy1
2
~~local~~/F:\Marian\Work\Ntta-szm-Add\Cookies\
1088
1772200960
29656990
604776672
29644518
*

Variable name and its value should left no space for doubts. The same HTTPS protocol request – if it requested, the cookie will be sent through HTTPS. It is much more safer than through simple HTTP, because cookie will be encrypted during its journey over nets. By the way, have you wondering why it is called “inter-net”?

Server domain needs more to talk. Normally the cookie can be accessed only by web pages on the same server. Let say, the server will be called www.OneBigShop.com. But it is not rare situation, that those really big domains has a few web-servers and more than one will need to read them. For example, the cookies created by www.EShop.OneBigShop.com should be also accessible for www.OnLineOrders.OneBigShop.com. So, if the server domain is set to .EShop.OneBigShop.com, the server for on-line orders can not access to them. But, if the domain is set to .OneBigShop.com, both servers (as well as others) can read and modify cookie.

Server path is similar. For sure you know, that server-domain structure uses the same logic for arrange as folders, or directories in computers. When you never see it, try to find and access through some public FTP. Only pages which are located at given directory and all its sub-directories can access. E.g. “/members/video”. If there is a “/” any page on server can work with cookie.

As any operating system, JavaScript also count time from some datum (lat. “zero-point”). Just for curiosity, it is 1970-01-01 00:00:00 UTC, but at summer time so at real meaning it is a 01:00:00. It counts in miliseconds and use UTC (Universal Time Coordinated - its base is Temps Atomique International, or TAI, corrected every year to allign with Earth rotation balance. You can see on GPS e.g. 1995-12-31 23:59:60). There is a whole standard library to work with date and not worry about local time differences. As I already said, every cookie has its validity time interval. The value is the final date and time for the cookie. After this point, it is not valid and it will be erased by browser.


Playground

I prepare a two demonstration pages to show you operations with cookie. Both pages used an external file with common JavaScripts. Call it library or unit, if it is easier to you. External file with scripts is rather used than placing the scripts to front of page: it spares a lot of time during downloading and also during coding.

The first one is simple counter. It is a light version of counter presented at this page. The second one, reads all cookies which has been created – by THIS domain ONLY – and allows to manipulate with them. You can read variables values when you enter their CaSe sensitive name. You can also add variables: just enter CaSe sensitive name, value and time of expiration. Then see, how the cookie has been modified – you know where the file can be found.

You can look into code of both pages, as well as JavaScript file, if you want to figure-out how the whole thing works. There is no commentary, because I do not think that there can be such need.

 
HTML site to play with
All these sites works also off-line!
1.
Counter of Visits
A light version of script for visit count presented on this page
2.
Cookie Manager
You can add, read and modify cookies created by your actual domain.
3.
Today
Shows actual date and time - both in "translated to human" version and "machine" version
4.
Time-Play
Shows a various time-stamps and allows to miscelanous calculation with their "machine" form directly
5.
Main Scripts
It is an external .js file with scripts in use. Save it and open with e.g. Notepad, or ConTEXT. Pure text version.

I declare in forward, that I will not answer for any request how to modify expiration date! I gave you everything necessary and I believe, that you are able to crack without my hand. Schola Ludus. Educate yourself by playing – if you think, it is worth. Only one tip: time-stamp can be shorten or divide into a few parts.

 

Downloads

All four HTML documents (this one and four as playground) with accompanied script file and some commented sample cookies are packed at this archive. You should download it and run these pages off-line as soon as you will see that any of these pages is inside of frame of some domain. I do not use a frames, so some domain links examples as external and it is possible, that those domain will send to your computer its own cookies proceeded later to personal adverts.


 

Cookies' myths

This addition I wrote because of a few very concrete questions. Generally, their main subject has been simillar: "... explanation is nice, but what about this and that case? Is it possible or not." Thanks for them. My fault have been that I just did not separate cookies from scripts and I totally omit a principles of including advertisiments to pages. Hope, this time I do it better. I am going to use a simple FAQs style.

Cookies can scan your drive / memory / system and gather miscelanous information. WRONG.
Cookies can not do anything. Cookies are not an executable code. All the cookies can do, is passing the text information. Those ones which user enter and / or those ones which server sent.

Cookies can be freely collected into archive / database for later reusing. NOT QUITE TRUTH.
No, there is no use in this. Even if you physically copy a valid cookies from some other computer - you do not access an other users cookies - in most cases you will not fool a server, because your IP address will be different.

Cookies can notify about changes from the last visit. TRUE.
Because every cookie has an information when and from where has been created, server has all information necessary to generate a "What's new" page. It can even identify you - by your IP address, greeting you personnaly - when you enter some name in some dialog-box on that page and (not to last) track your movements and guessing your futher steps - because it knows where have you been before.

Refusing all cookies will give me an anomity. WRONG.
Browser will always send your IP address. Without cookies, the tracking will be harder but not impossible. To be fair, tracking existed long before the cookies. The most widen way to tracking is put an image dot (a small GIF of size 1 pxl by 1 pxl) to page. The information about where you come from and what pages you visitted are at server log's file.

Domain and paths limits can be bypassed using e.g. .COM as domain. WRONG.
Entry like this is invalid. If it will be possible the cookie will be accessible from all commercial servers. No server can not send a such cookie and accept a cookie like this. But, in present time, when someone change a legislative ...

Cookie could be recover by any page actually displayed in frames, inluding advert servers. WRONG.
Cookie can be recover only if domain, path and access type match. Even if the cookie is specified that it must be sent encrypted and your connection to concrete valid site is not encrypted, the cookie will not be sent.
Misunderstanding comes from trivial failure (detail): one cookie is sent by shop and another one - totally different - cookie is send by adverts' company. This advert cookie is sent along with banner from some URL which is different than URL of shop. You can buy or do what you want to, but advert cookie will not know what are you doing, because its URL does not match. Advertisement company will only know from where the banner will be called from - the shop URL is always sending as parameter of banner link. When you anytime in future (well, say during next year) surf to some other page, which will link any banner from the same adverts' company - then that advert cookie comes to activity and it will be send to them automaticly by browser. By this way, the advertisement company will know what pages are you browsing on. But nothing else. They can not know what are you do with that pages.
By the way, in this example, a shop is "home" or "own" cookie and advertisement company is "third-party" or "foreign" / "alien".

Cookie can block my access / download. TRUTH.
Oh yes, it can. Because, the cookie is updated every time you request something from server. It can count, e.g. number of files, or (theoretically) overall traffic volume. But remember that situation is the same as with anonymity - cookies just make it easier.

Cookies can be always retrieved. WRONG.
So called "non-persistent cookies" which has no expiration time-stamp are not saved on disk. They exist only at memory until you log-off from page. All mail servers and some personal portal services work this way.

Cookie can consume my free space on disk. NOT QUITE TRUTH.
Cookie file size limit is 4 kBy according to Netscape. However, they rarely extend 100 By. If you still use FAT32 system, your cluster (the smallest accessible track on disk) could be 32 kBy. Consequently, the cookie will occupy a few hundred space more than needed. Maximum of cookies sended by individual site (not domain!) is 20 and maximum of all cookies is 300.

 

[ Return to the Cookies Anatomy, if you skip it ]

 

Links

Duncan Crombie's JavaScript Cookies: http://members.ozemail.com.au/~dcrombie/cookie.html
This is one of the best and the most complex tutorial for programmers and web-designers with a lot od ready-to-use scripts. You should definitelly go there if you are looking for some additional information or you are interesting with using the cookies on your pages. If you are just curious, please read at least tutorial no. 1 and no. VI.

Netscape's Persistent Client State HTTP Cookies Specification: http://wp.netscape.com/newsref/std/cookie_spec.html
Original specification of cookies' technology from its invertor. A careful reading of sections Overview and Additional Notes could contain answers for your question.

U.S. Department of Energy :: Computer Incident Advisory Capability :: I-034 Internet Cookies: http://ciac.llnl.gov/ciac/bulletins/i-034.shtml
An official information bulletin from 1998-03-12 about cookies mechanism and its possibilities.Raport is written a specially for managers which panic as soon as they heard mystical "cookies". Short, straight to point and easy to navigate report - as you can expect from any academical report for goverment use. Additionally you can find there a lot of information what browser send to internet and a few others links. Definitelly worth to read.

www.proxyblind.org
This is a domain considered about internet privacy. You can find there a lot of original and linked material from "both sides of barier". Including a few tools not only for paranoids.

 

Updates

2004-07-30
Added Cookies' Myth section. Added a new site Time-Play. Added Links.

2004-07-23
Corrected a few gramatic errors. Added explanation about time-stamps format and datum. Added a settings about cookies - copied from Surfer's Basic tutorial. Extended an "Echelon" description. Rewritten "Principle of Operation" section.


You can translate or link this tutorial under conditions written at this domain's "Legal Stuff" page and followed. If any doubts, please contact me.

Copyrights, trademarks and credits are collected here.

Marián Stach
Prešov, Slovakia Central Europe
2004-05-11

[ Language ] :: [ Main Index ] :: [ Site Navigation ] :: [ Tutorials ] :: [ Downloads ] :: [ Contact ]