[thelist] cookies

David Adams dpadams at island-data.com
Thu May 17 15:28:31 CDT 2001

>> Can anyone read a cookie that was set by someone else?
Unless there is a bug in the browser, no. Cookies are tied to specific
domain. The browser should only send the cookie to the domain that created
the cookie in the first place.

>> Say I have a JSP site that makes a cookie. Can some
>> other site (not using JSP) read the cookie made by the
>> JSP site?
It makes no difference how the cookie was created. How the cookie is stored
and when it is sent to a Web server is controlled completely by the browser.

> Part of the reason people feel "safe" to some extent with cookies is
> because /theoretically/ this is not possible - part of the security
> model is that the only cookies a domain can read are ones it has *set*.
Yes, this is why many people are comfortable with them. Cookies are not,
however, secure in a variety of ways:

* Cookies are stored as text.
They are stored on the user's machine as text. Some browsers even provide
screens for reviewing all stored cookies.

* Cookies are sent as text.
If you need encryption, you must use SSL. (Note: standard Web passwords are
not encrypted either. Again, only SSL provides real security.)

* Cookies can be misused.
This is a big one. Cookies are tied to a domain, but what does that mean?
Well, it was meant to prevent cookies from being sent to anyone other than
the original site that created the cookie. Fair enough. A Web page, however,
may include images from any number of sites. Oh.

Cookies are a convenient way to store user preferences or basic
identification information. It is far better, however, to store more complex
data on the server side, if possible. With server-side data, all of the
browser-version-user-settings hassles go away. They just don't matter any

  David Adams
  Island Data Management
  Kailua, HI 96734
  dpadams at island-data.com

More information about the thelist mailing list