Note: My Web pages are best viewed with style sheets enabled.

Unrated

About Those Cookies …

Copyright © 1999-2001, 2003, 2008-2010, 2018 by David E. Ross

What Are Cookies?

A cookie is a small package of data describing your Web-surfing activities. When you request a Web page, you send a message to the page's Web server. The server returns the files needed by your browser client to display the page. Before those files are sent, however, the server sends some header messages describing those files. Those messages might include one or more cookies, each of which contains the following data:

• Domain: The name of the server identified with the cookie (e.g.: www.rossde.com).
• Path: The location of the Web file for the page associated with the cookie. The combination of Domain and Path completely identifies the Web page. However, Path might be omitted (specified merely as /) in which case the cookie applies to the whole Domain.
• Security flag: This is TRUE if the cookie can be accessed only by a secure Web page. It is FALSE if unsecure Web pages can also access the cookie.
• Expiration date: Your Web browser will automatically expire and erase the cookie this many seconds after 1 January 1970 00:00:00 UTC.
• Name or ID: Each cookie is named. This allows multiple cookies for the same Web page to be distinguished.
• Value: This can be taken from some input you sent (e.g.: on a Web form), a count of the number of times you have requested this Web page, the user ID by which you access a Web account, etc. The value of a cookie might actually contain many subvalues, each with its own identifier.

The cookie

   .yahoo.com   TRUE   /  FALSE  1273769119   PL  V=1.1&d=JcW2MLFRMre

Notice that a cookie does not contain any executable software, just data. The next time you request a Web page for which you already have a cookie, the IDs and their associated values are included in the request message you send to the page's Web server. Thus, the Web server can track your accesses to specific Web pages.

Although a Web page can only set a cookie for its own domain, a Web page can cause cookies to be set for other domains. If a page requests images or other files from other domains, the Web servers for those domains can then set cookies. Thus, visiting a news site that displays advertisements from other sites can set cookies for a number of different domains. Actually, a Web page might contain a microscopic or invisible graphic from another domain specifically for the purpose of setting cookies for that other domain.

While many cookies are written into your cookies file on your computer's hard drive, some cookies are intended for memory only. These session-only cookies are erased when you exit your Web browser application.

How Are They Used?

In general, a cookie tracks your request for a Web page and what you do as a result of browsing that page.

• If you buy three books through Thames.com — a cookbook, a baseball encyclopedia, and a murder mystery novel — a cookie is set when you receive the Web page acknowledging your order. The value in that cookie contains your account number or an arbitrary identifier which had just been created by Thames.com. In the meantime, Thames.com has created a database entry for your new account, containing the genre of books you bought. The next time you access Thames.com, the cookie is returned with the request for their Web page. Featured on that Web page will be advertisements for a cookbook, a sports book, and a mystery novel. You go to Maps-R-Us to print a map showing how to drive to the new home of your in-laws. A cookie is set with your ID. The next time you go to Maps-R-Us, the Web page is preset with your in-laws' address.
• A number of major software developers maintain Web services for receiving and answering questions about the uses of their products. For some reason, they want individuals who use those services to register. (Perhaps, they are comparing that registration with the registrations of their products.) To use these services, you must provide a user ID and password. Either you can manually type the ID and password every time you request the Web page that leads into such a service, or else you can allow a cookie to be set with the value combining both items. In the latter case, when you next request that service, the cookie returns to the Web server and provides automatic entry of your ID and password.
• The designer of a Web site has become far too impressed with his own skills and the capabilities of Web technology. He has designed pages that are overly complicated. When you go to one page, you are automatically routed to a subsequent page. The only way you can use the Back key to exit from this mess is if the path by which you entered is recorded in a series of cookies that indicate for each page you were previously there (thus preventing the automatic progress to the next page, the page you are trying to leave). I know of one government agency where the Web designer ran amok; navigating that agency's Web site caused over a dozen cookies to be set for no reason other than allowing the user to backtrack. These should have been memory-only cookies, but instead they were written to the user's hard drive.
• Secure Web pages (e.g.: for viewing your bank account) sometimes use memory-only cookies to support the necessary encryption. The cookie's value might be an encryption or decryption key.
• You are interested in five different stocks, and you frequently want current quotes. You go to YeeHaw and enter the symbols, which means you first had to look up those symbols. This is a real bother. However, YeeHaw allows you to establish a query account. Then, when you enter the symbols for those stocks, the Web page displaying the quotes comes with a cookie containing your account ID. The symbols are entered into YeeHaw's database. The next time you go to YeeHaw for quotes, the quote Web page displays automatically because your request sent the cookie back to identify your query account.
• You are looking to buy a new house. You go to the Web site of a real estate broker and see a listing that interests you. Using a link on that Web site, you send an E-mail message to your very good friend with a copy of that listing. The broker's Web server sets a cookie on your computer. A year later, you have already bought a very nice house. You still look at listings to judge the value of your new home. Your very good friend receives a spam message from the broker, asking if she would like the broker to show her the house in a listing you just reviewed. The cookie might have contained your friend's E-mail address. At the least, it contained an identifier that connected your recent viewing of a specific listing to the E-mail address in the broker's database.

I am quite sure you can see other uses for cookies. On the other hand, there are a number of things a cookie cannot do.

• Cookies cannot execute software on your PC or Mac.
• A cookie for one domain cannot cause cookies for other domains to be read. However, a Web page at one domain can set a cookie for another domain merely by using a graphic or other object from that other domain. Similarly, a Web page at one domain can cause a cookie for another domain to be read merely by again using an object from that other domain.
• Cookies cannot send your E-mail address to anyone, unless you gave your E-mail address to a Web page that then put the address into the value of a cookie sent with the next page.
• Cookies cannot erase your disc or change your software. (That can be done by downloaded software, which you might not even know was downloaded, which is why good anti-virus software is necessary on every computer.)

Why Is Anyone Concerned?

You might not be concerned if a supermarket, gas station, public library, or drug store records how many times you enter their facility. But would you be concerned about someone keeping track of how many times you went into a liquor store? If you are a man, would you want someone else to have a record not only of how many times you went into a drug store but also of how many times you bought an ointment for "jock itch" or condoms (and what brands)? If you are a woman, would you want a record of what brand of pregnancy test you bought for cash, especially when your husband had a vasectomy five years ago?

Using cookies to identify you, Web sites can indeed maintain such records. With Internet connections using dynamic IP addresses (e.g., dial-up, some broadband), they might not be able to correlate their records with your actual identity, but they can identify the ISP and even the POP through which you connected to the Internet. With connections using static IP addresses (e.g., some broadband, T1), your actual identity can be determined. Even with a connection using dynamic IP addresses, if you input any identifying information on a Web form, that information can easily be tied to a cookie. Thus, the owner of a Web site can accumulate a profile about your Web-surfing activities and even connect that profile to an actual person — YOU. This is an issue of privacy and controlling information about how you live your own life.

Most important and despite what a cookie cannot do, some cookies can support the operation of malware. The anti-virus application that I use occasionally detects such cookies, which I promptly delete.

But What Can You Do About Cookies?

First of all, do not set your Web browser to reject or disable cookies. As described above, some memory-only cookies are needed to navigate through complicated Web pages or to use secure Web pages. Often, Web pages that write cookies will not load if you reject cookies. Also, do not set your Web browser to warn you about cookies. You will soon become very annoyed at having to respond to each cookie.

My solution to this problem involved editing my cookies so that only those remained that I absolutely must have. I then made a back-up of the cookies. Before I start my browser, I copy the back-up over the cookies file, thus eliminating any cookies that I accumulated from the prior browser session. This makes all new, unwanted cookies memory-only. While I could refresh my cookies manually, I created a simple script to do this.

It is important to recognize that memory-only cookies persist until your terminate your browser. Thus, if you visit a Web site and enter data on a form, you might want to terminate your browser after you leave that site, thereby limiting the accumulation of data from memory-only cookies.

This should prove effective in defeating even DoubleClick's tracking of who views its advertisements across unrelated Web sites.

But what about the cookies that you want? You do get stock quotes from YeeHaw and you frequently request technical help from various software developers. I handle this situation as follows:

• I terminate my browser and make sure it really has terminated. (With Windows, I use the Windows Task Manager to see if the browser is still running; I wait until it stops.)
• After refreshing my cookies from the back-up, I restart my browser.
• I visit the Web site in question and then leave that site.
• Having navigated only in that site, I then terminate my browser again.
• I delete my cookies back-up and then rename the actual set of cookies to be the back-up.

The next time I start my browser, I refresh my cookies from the new back-up. When I them request that Web site, the new cookies will be sent with the request. I have to remember that cookies do have expiration dates, although some expire only after many years. Thus, I might have to renew certain cookies and again create a new back-up.

A Browser Solution

Newer browsers contain cookie managers. I use SeaMonkey, whose cookie manager has the following features:

• It can disable (block) all cookies, disable cookies from Web sites other than the one being browsed, enable all cookies, or selectively enable cookies based on the privacy settings of the Web site being browsed. I use the second of those options.
• Overriding general controls that disable or enable cookies, it can create a list of sites that are prohibited from setting cookies and sites that are permitted to set cookies.
• Display the contents of a selected cookie.
• Remove selected cookies.

These features are generally found in Gecko-based browsers.

Other Cookies

Be aware that software other than Web browsers might set cookies, too. For example, RealPlayer sets cookies according to the streaming broadcasts you receive and the advertisements those broadcasts contain. It uses a cookies.txt file that is located in its own directory. While RealPlayer does have an option to suppress the use of cookies, I also set the file to read-only to prevent any cookies from being inserted into the file.

Windows 7 sets cookies in various subfolders of C:\Users. The Cookies subfolders themselves are generally marked as hidden system files. Windows XP sets cookies; and there is reason to believe that other versions of Windows — including Windows  10 — do so, too.

Other software may also establish cookies files. As with Gecko-based browsers, the files might not even be named cookies.txt. In some cases, it appears that the files are related to "live update" capabilities that automatically download and install upgrades to the software setting the cookies. (Both for security reasons and also because I want to maintain a log of all updates, I always disable automatic updates.)

More Information

More information about cookies — including technical details about their structure — is available from the following links:

• AboutCookies, which has introductory, fundamental, and advanced information on the use of cookies.
• The HTTP cookie entry in Wikipedia.

Information about other links is always welcome.

Last updated 4 August 2018

"Internet" Table of Contents

David Ross home

E-mail