[thelist] Truth about cookies?

Allie Micka allie at pajunas.com
Tue Nov 13 22:31:33 CST 2001


Cookies are simply a request from a web server to the browser return a 
small piece of data on subsequent requests for resources on its site.  
Returning the cookie is entirely up to the browser, and they will 
automatically reject cookies that violate certain basic rules.  Most 
browsers also have 'security settings' that allow the user to change 
cookie behavior.

The original intention of the cookie is to get around the whole issue of 
statelessness of the HTTP protocol, and I can't comprehend ever creating 
any kind of web-based authentication system that's even a little bit 
secure without them.

The trouble is, your browser may be asked to accept cookies by any 
server that it gets resources from.  In addition to normal site content 
you are often also downloading files from ad servers and other 
demographics tracking systems.  A lot of the time there's even a 
transparent image, a 'web bug' that is requested from a server whose 
primary purpose is to track web usage patterns.  Companies can compile a 
lot of data about you based on the referring pages and special 
identifiers they may place in the request string.  One company got in a 
lot of trouble last year by gathering enough information to track web 
usage patterns to individual human beings!  This usage of cookies is 
evil and the primary reason for all the bad press.

Another reason cookies have gotten bad press is because of the security 
threats caused by stupid developers, who have been known to store things 
like username/password pairs in cookies.  That's just plain silly!  
Cookies ought to store unique session identifiers.

I've had to do a lot of work to convince my employers that cookies are 
useful and necessary to promote internet security and the best thing I 
can say is to just educate people.  Good programming is also in order.  
Use session cookies only, whenever possible, as they are more likely to 
be accepted by browsers.   And don't store sensitive data there!

Also, I would like to see better browser software.  My version of IE 
running on OS X as well as Konqueror allow you to disable cookies for 
specific domains.  This is great, I never accept cookies from ad 
companies but can keep cookies available when they're useful to me.  
Isn't there some kind of plugin for this on a windows platform?

Thanks,
Allie Micka
pajunas interactive, inc.
http://pajunas.com





More information about the thelist mailing list