A cookie, also known as a web cookie, an HTTP cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.
Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past. This can include clicking particular buttons, logging in, or a record of which pages were visited by the user.
When using a particular site. Using the web's Hypertext Transfer Protocol (HTTP), each request for a Web page is independent of all other requests. For this reason, the web page server has no memory of what pages it has sent to a user previously or anything about your previous visits. A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. You can view the cookies that have been stored on your hard disk. The location of the cookies depends on the browser. Internet Explorer stores each cookie as a separate file under a Windows subdirectory. Netscape stores all cookies in a single cookies.txt fle. Opera stores them in a single cookies.dat file.
Below are the highlights of cookie usage throughout the internet:
Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"), a virtual device into which users can store items they want to purchase as they navigate throughout the site.
E-commerce websites that utilizes shopping basket applications usually store the list of basket contents in a database on the server side, rather than storing basket items in the cookie itself. A web server typically sends a cookie containing a unique session identifier. The web browser will send back that session identifier with each subsequent request and shopping basket items are stored associated with a unique session identifier.
Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a website so that it may be filled in for future visits.
Tracking cookies may be used to track internet users' web browsing. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision. By analyzing the log file collected in the process, cookies enable the tracking of which pages the user has visited, and in what sequence.
Privacy, Theft and Hijacking
Cookies have some important implications on the privacy and anonymity of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain, a Web page may contain images or other components stored on servers in other domains.
Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
Below is a list of various scenarios of cookie theft and user session hijacking which work with websites which rely solely on HTTP cookies for user identification.
- Network eavesdropping: an attacker intercepts cookies to impersonate a user and perform a malicious task.
- Cross-site scripting: an attacker inserts a piece of script to a page and a victim's browser was able to execute the script, the script could simply carry out the attack.
- DNS cache poisoning: an attacker is able to cause a DNS server to cache a fabricated DNS entry.