Cookies:- The origin of the term “cookie” is uncertain, although its inventor, Netscape, claims it was a name chosen at random. Some claim that it was derived from a similar Unix operating system transaction called a “token.” On MAC computers, the cookies are kept in a list called “magic cookie,” whereas on IBM CPUs they are in a file called “cookies.txt.” What is a cookie and how does it fit into the client-server model? In simplest terms, a cookie is data (for future use) that are stored by a server on the client side of a client-server model. For instance, a cookie might record Alice’s preferences when visiting, QQQ.com. The cookie is a means by which the server can store its own data about Alice on Alice’s own computer.
Cookies and HTTP
In Internet terms, a server, when returning an HTTP object to Alice, includes a cookie that has a description of the range of URLs for which that cookie is valid. Any future HTTP requests made by Alice that fall in that range will include the current value of the cookie from Alice sent back to the server. This means that she can shop online and store information about the currently selected items, and it frees Alice from retyping user ID for each visit. The sites at which she shops can store preferences on computer and have Alice supply those preferences every time she visits that site. For instance, the QQQ.com server provides the cookie to Alice’s browser, which stores it in its memory as a text file. Each time browser sends a request to QQQ.com, the cookie is sent back to the server.
Types of Cookie
There are different types of cookies. For instance, a session cookie (or transient cookie) is one that is erased when Alice closes browser, because the session cookie is stored in temporary memory and discarded after the browser is closed. These transient cookies do not obtain information from Alice’s computer. Rather, they store data in a session ID format, which does not explicitly identify Alice. Another type of cookie is the persistent cookie (also called permanent or stored cookie), which is a cookie set with an expiration date and is stored on Alice’s hard drive until it expires.
A hard disk, also called a disk drive, is part of a unit that stores and provides efficient access to large blocks of data on one or more electromagnetically charged surfaces. Persistent cookies gather information about Alice, including WWW surfing behavior or preferences at QQQ.com. The QQQ.com server may use this information to present Alice with a customized welcome page with, say, “Hello Alice” the next time she visits. Alice’s browser automatically updates cookies every time she revisits a site, since once the browser is closed, the cookies are resaved to disk.
Effect of Cookie
In the final analysis, a cookie is simply a piece of text, not a program, and only Alice’s browser can store cookies on hard drive, if it is a persistent cookie. The data are stored in a special file called a cookie list and is done without the knowledge or consent of Alice. However, it cannot be used for, say, a virus, so it is harmless in that regard. Moreover, the number of cookies allowed for storage on Alice’s hard drive is also restricted. Most browsers conform to RFC 2109, which puts a limitation of 300 cookies that may be stored on a given hard drive (with a 4096 byte-per-cookie maximum).
This involves a limit of twenty cookies per WWW site, so if fifteen sites maximize the cookies on Alice’s hard drive, then the next time a cookie is to be set, Alice’s browser will discard least-used cookie to free space for the new cookie. When Alice returns to QQQ.com, browser will automatically and, again without knowledge or consent, transmit the cookie containing personal data to QQQ.com’s server.
Cookies transport between server and client as an HTTP header, and the formal specifics of this header as defined in RFC 2109. There are six parameters that can be assigned to a cookie. The first two are mandatory and are set by pairing them together. The others (set optionally), configured manually or automatically, typically are separated by semicolons.
1. Name: This is any alphanumeric value (excluding semicolons, commas, and white space) used to identify the cookie.
2. Value: This cookie value may be any scalar.
3. Expiration Date: This determines the valid lifetime of the cookie and, if not explicitly set, defaults to the end of the session as long as Alice’s browser is open.
4. Path: This sets the subset of URL paths on a domain for which the cookie is valid. If a path is not specified, the default is the path of the document that created the cookie.
5. Domain: This is the textual equivalent of a numerical IP address. When searching a cookie list, a comparison is made between the tail of the valid host domain name (such as QQQ.com) and the tail of the cookies on the list. For instance, it might be shopping.QQQ.com, which indeed satisfies the tail matching for the domain QQQ.com. Because of this tail matching, no domain is allowed to set a cookie with fewer than two dots, in order to distinguish among tails such as those containing .com, .ca, .gov, and so on. Thus, for instance, QQQ.com would not be an allowed cookie on the list. Moreover, the server setting the cookie must be a member of that domain. For instance, WWW.QQQ.com cannot set a cookie for the domain WWW.RRR.com, since the security breaches would be severe.
6. Secure Label: If this label is set to TRUE, then the cookie may be sent only over a secure channel, typically HTTPS. The default is FALSE, since most WWW sites do not need secure connections. Basically cookies are pieces of textual data generated by a WWW server for storage on a client’s computer for future access. Cookies are embedded in HTML information that flows between the client browser and the server. Most often both the storage of, and access to, cookies goes unnoticed by the client. However, any client, concerned about privacy issues can set his or computer to notify of any attempt to set a cookie and will ask permission. Of course, this may become a headache since there will be a lot of “alerts.”
The crucial issue is for the client to be “aware” of the issues, which this section addresses. Cookies cannot damage your computer or give out private data on you without your giving it out at a WWW site in the first place. The bottom line is that cookies were meant as a mechanism to make it easier for you to access your favorite WWW sites by storing information, so you do not have to login each time you visit, a process that was impossible before the advent of cookies due to the stateless nature of HTTP.