'Your Talent Agency'
1. INTRODUCTIONCookies are a very important method for maintaining state on the Web. "State" in this case refers to an application's ability to work interactively with a user, remembering all data since the application started, and differentiating between users and their individual data sets. An analogy I like to use is a laundry cleaner's shop. You drop something off, and get a ticket. When you return with the ticket, you get your clothes back. If you don't have the ticket, then the laundry man doesn't know which clothes are yours. In fact, he won't be able to tell whether you are there to pick up clothes, or a brand new customer. As such, the ticket is critical to maintaining state between you and the laundry man. Unfortunately, HTTP is a "stateless" protocol. This means that each visit to a site (or even clicks within a site) is seen by the server as the first visit by the user. In essence, the server "forgets" everything after each request, unless it can somehow mark a visitor (that is, hand him a "laundry ticket") to help it remember. Cookies can accomplish this. 1.1 What is a Cookie? A cookie is a text-only string that gets entered into the memory of your browser. This value of a variable that a website sets. If the lifetime of this value is set to be longer than the time you spend at that site, then this string is saved to file for future reference. 1.2 Where did the term cookies come from? According to an article written by Paul Bonner for Builder.Com on 11/18/1997:"Lou Montulli, currently the protocols manager in Netscape's client product division, wrote the cookies specification for Navigator 1.0, the first browser to use the technology. Montulli says there's nothing particularly amusing about the origin of the name: 'A cookie is a well-known computer science term that is used when describing an opaque piece of data held by an intermediary. The term fits the usage precisely; it's just not a well-known term outside of computer science circles.'"1.3 Why do sites use Cookies? There are many reasons a given site would wish to use cookies. These range from the ability to personalize information (like on My Yahoo or Excite), or to help with on-line sales/services (like on Amazon Books or eBay), or simply for the purposes of collecting demographic information (like DoubleClick). Cookies also provide programmers with a quick and convenient means of keeping site content fresh and relevant to the user's interests. The newest servers use cookies to help with back-end interaction as well, which can improve the utility of a site by being able to securely store any personal data that the user has shared with a site (to help with quick logins on your favorite sites, for example). 1.4 Where Can I Get More Information? Cookie Central is dedicated to answering questions about cookies. Feel free to look around. There's a great article concerning cookies on Marshall Brain's "How Stuff Works". It goes even deeper than this FAQ does, especially in the realm of public opinion. Worth a look! The World Wide Web Consortium has an excellent FAQ to answer the majority of Internet and Web-related questions. You can read their topic: "Do 'Cookies' Pose any Security Risks?" In addition, there are an abundance of resources on the Internet that can help you find answers to your cookie questions. Conveniently, Yahoo has a great listing of them. I encourage you to stop by and check the list out! [Back to Top] 2. GENERAL QUESTIONS/MISCELLANEOUS2.1 Introduction This section is devoted to general questions on cookies and their usage. 2.2 Can I delete cookies? Yes. Whether you use Internet Explorer or Netscape, your cookies are saved to a simple text file that you can delete as you please. In order to do this properly, remember to close your browser first. This is because all your cookies are held in memory until you close your browser. So, if you delete the file with your browser open, it will make a new file when you close it, and your cookies will be back. Remember that deleting your cookie file entirely will cause you to "start from scratch" with every web site you usually visit. So, it may be preferable to open the cookies.txt file (in the case of Netscape) and remove only the entries you don't like, or go to the cookies folder (in the case of IE) and delete the files matching servers you don't want. 2.3 How do I set my browser to reject cookies? Both Internet Explorer and Netscape allow some level of cookie verification. They both have menu options that allow you to accept all, some, or none of your incoming cookies. In addition, the "warn before accepting" feature is present in both, if you want to screen your incoming cookies. In Netscape, go to the Edit/Preferences/Advanced menu. Your cookie choices can be changed there. Microsoft has changed their approach to cookies over the last 3 versions of their browser. This is a reflection of how cookies have been thrust into the limelight of privacy on the Internet:
jdoe@coolsite.txtContains Jane Doe's cookie for coolsite.com. If anyone else logs-in, then this cookie is not used. This is the only reason that the username is part of the cookie file name. The username does not get sent to the server with the cookie data. 2.11 There are two extra files in my Cookies folder called Mm256.dat and Mm2048.dat. What are they? You can read more about this on Microsoft's Knowledge Base. [Back to Top] 3. COOKIE FUNDAMENTALS3.1 Introduction Whether you're a programmer or just a web user looking for answers, a big part of understanding cookies is to go into the gory details. This section does just that. 3.2 How does a cookie really work? Understanding how cookies really work requires an understanding of how HTTP works. Cookies transport from Server to Client and back as an HTTP header. The specifications for this header are explicitly laid out in RFC 2109. When a cookie is sent from the server to the browser, an additional line is added to the HTTP headers (example):Content-type: text/html Set-Cookie: foo=bar; path=/; expires Mon, 09-Dec-2002 13:46:00 GMTThis header entry would result in a cookie named foo. The value of foo is bar. In addition, this cookie has a path of /, meaning that it is valid for the entire site, and it has an expiration date of Dec 9, 2002 at 1:46pm Greenwich Mean Time (or Universal Time). Provided the browser can understand this header, the cookie will be set. When a cookie is sent from the browser to the server, the cookie header is changed slightly: Content-type: text/html Cookie: foo=barHere, the server is made aware of a cookie called foo, whose value is bar. 3.3 Breakdown of Cookie Parameters As we have just seen, a cookie contains more than simply a name and a value. In fact, a cookie has 6 parameters that can be passed to it:
... foo=bar ...The value of a cookie can also be null, for the purpose of clearing the cookie value: ... foo= ...Expires The expires parameter lets you determine the lifetime of the cookie. ... expires=Mon, 01-Jan-2001 00:00:00 GMT ...If Expires is not set explicitly, then it defaults to end-of-session. The length of a session can vary depending on browsers and servers, but generally a session is the length of time that the browser is open for (even if the user is no longer at that site). Path The path parameter is potentially the most useful of the 4 optional cookie settings. It sets the URL path the cookie is valid within. Pages outside of that path cannot read or use the cookie. ... path=/promo ...If Path is not set explicitly, then it defaults to the URL path of the document creating the cookie. Netscape has identified a bug for VERY old versions of Navigator where the path must be specified if an expiration is specified. Furthermore, this path must be set to "/". For more information, browse Netscape's Cookie Spec at: http://www.netscape.com/newsref/std/cookie_spec.html Domain The domain parameter takes the flexibility of the path parameter one step further. If a site uses multiple servers within a domain the it is important to make the cookie accessible to pages on any of these servers. ... domain=www.myserver.com ...Cookies can be assigned to individual machines, or to an entire Internet domain. The only restrictions on this value is that it must contain at least two dots (.myserver.com, not myserver.com) for the normal top-level domains, or three dots for the "extended" domains (.myserver.ny.us, not myserver.ny.us) IMPORTANT: The server issuing the cookie must be a member of the domain that it tries to set in the cookie. That is, a server called www.myserver.com cannot set a cookie for the domain www.yourserver.com. The security implications should be obvious. If Domain is not set explicitly, then it defaults to the full domain of the document creating the cookie. Secure The secure parameter is a flag indicating that a cookie should only be used under a secure server condition, such as SSL. Since most sites do not require secure connections, this defaults to FALSE. 3.4 How do cookies end up on my hard drive? After a cookie is transmitted through an HTTP header, it is stored in the memory of your browser. This way the information is quickly and readily available without re-transmission. As we have seen, however, it is possible for the lifetime of a cookie to greatly exceed the amount of time the browser will be open. In such cases, the browser must have a way of saving the cookie when you are not browsing, or when your computer is shut off. The only way the browser can do this is to move the cookies from memory into the hard drive. This way, when you start your browser a few days later, you still have the cookies you had previously. The browser is constantly performing maintenance on its cookies. Every time you open your browser, your cookies are read in from disk, and every time you close your browser, your cookies are re-saved to disk. As a cookie expires, it is discarded from memory and it is no longer saved to the hard drive. 3.5 What are all those entries in my cookies.txt file? The layout of Netscape's cookies.txt file is such that each line contains one name-value pair. An example cookies.txt file may have an entry that looks like this: .netscape.com TRUE / FALSE 946684799 NETSCAPE_ID 100103Each line represents a single piece of stored information. A tab is inserted between each of the fields. From left-to-right, here is what each field represents: domain - The domain that created AND that can read the variable. flag - A TRUE/FALSE value indicating if all machines within a given domain can access the variable. This value is set automatically by the browser, depending on the value you set for domain. path - The path within the domain that the variable is valid for. secure - A TRUE/FALSE value indicating if a secure connection with the domain is needed to access the variable. expiration - The UNIX time that the variable will expire on. UNIX time is defined as the number of seconds since Jan 1, 1970 00:00:00 GMT. name - The name of the variable. value - The value of the variable. 3.6 Where does MSIE keep its cookies? Microsoft keeps its cookies in different locations, depending on the version of explorer and Windows you are using. The best way to find it is to use the Windows "Search" feature an look for the "Cookies" folder. More information can be found here. Although the location may be different, the format is the same. Each individual domain's cookies are stored in their own file, along with the username that accessed the site. For example, if I went to Yahoo.com, I would get a cookie that is stored in the file MyUsername@yahoo.txt. Note that the username is not sent with the cookie. See Section 2.10 for more information. 3.7 Are cookies Year 2000 Compliant? There is no date-specific restriction on the HTTP header used to transmit cookies. In fact, the only determining factor in whether a cookie will be accepted is the programming of the client receiving the cookie. The major browsers do not have an issue with this. Cookies with expiration dates set with 2-digit or 4-digit years are understood properly. Naturally, it's always advisable to use 4-digit years when setting cookies. [Back to Top] 4. ADVANCED TOPICS4.1 Introduction This section covers topics beyond those discussed above. 4.2 Creating a Cookie Value Creating a cookie generally involves duplicating the HTTP cookie header in some fashion so that the browser will store the name-value pair in memory. Some languages expect an exact HTTP header to be sent, while others will use built-in functions to help you speed the process along. Cookies can be set from the browser-side or from the server-side. The determining factor will be the language you use to create the cookie. Once the cookie is created, it should flow easily from server to client and back via the HTTP headers. There are limits on the contents of both the cookie string and the cookie file. These limits are partially imposed by HTTP and partially by arbitrary choice. They are as follows:
[Back to Top] |