Note: My Web pages are best viewed with style sheets enabled.

Unrated

About Those Cookies…

Copyright © 1999-2001, 2003, 2008 by David E. Ross

What Are Cookies?

A cookie is a small package of data describing your Web-surfing activities. When you request a Web page, you send a message to the page's Web server. The server returns the files needed by your browser client to display the page. Before those files are sent, however, the server sends some header messages describing those files. Those messages might include a cookie, which contains the following data:

• Domain: The name of the server identified with the cookie (e.g.: www.rossde.com).
• Path: The location of the Web file for the page associated with the cookie. The combination of Domain and Path completely identify the Web page. However, Path might be omitted (specified merely as /) in which case the cookie applies to the whole Domain.
• Security flag: This is TRUE if the cookie can be accessed only by a secure Web page. It is FALSE if unsecure Web pages can also access the cookie.
• Expiration date: Your Web browser will automatically expire and erase the cookie this many seconds after 1 January 1970 00:00:00 UTC.
• Name or ID: Each cookie is named. This allows multiple cookies for the same Web page to be distinguished.
• Value: This can be taken from some input you sent (e.g.: on a Web form), a count of the number of times you have requested this Web page, the user ID by which you access a Web account, etc. The value of a cookie might actually contain many subvalues, each with its own identifier.

The cookie

   .netscape.com     TRUE   /  FALSE  946684799   NETSCAPE_ID  100103

Notice that a cookie does not contain any executable software, just data. The next time you request a Web page for which you already have a cookie, the IDs and their associated values are included in the request message you send to the page's Web server. Thus, the Web server can track your accesses to specific Web pages.

Although a Web page can only set a cookie for its own domain, a Web page can cause cookies to be set for other domains. If a page requests images or other files from other domains, the Web servers for those domains can then set cookies. Thus, visiting a news site that displays advertisements from other sites can set cookies for a number of different domains.

While many cookies are written into your cookies file on your computer's hard drive (cookies.txt on a PC), some cookies are intended for memory only. These are erased when you exit your Web browser application.

How Are They Used?

In general, a cookie tracks your request for a Web page and what you do as a result of browsing that page.

• If you buy three books through Thames.com — a cookbook, a baseball encyclopedia, and a murder mystery novel — a cookie is set when you receive the acknowledgment Web page. The value in that cookie contains your account number (an arbitrary identifier which had just been created by Thames.com). In the meantime, Thames.com has created a database entry for your new account, containing the genre of books you bought. The next time you access Thames.com, the cookie is returned with the request for their Web page. Featured on that Web page will be advertisements for a cookbook, a sports book, and a mystery novel. You go to Maps-R-Us to print a map showing how to drive to the new home of your in-laws. A cookie is set with your ID. The next time you go to Maps-R-Us, the Web page is preset with your in-laws' address.
• A number of major software developers maintain Web services for receiving and answering questions about the uses of their products. For some reason, they want individuals who use those services to register. (Perhaps, they are comparing that registration with the registrations of their products.) To use these services, you must provide a user ID and password. Either you can manually type the ID and password every time you request the Web page that leads into such a service, or else you can allow a cookie to be set with the value combining both items. In the latter case, when you next request that service, the cookie returns to the Web server and provides automatic entry of your ID and password.
• The designer of a Web site has become far too impressed with his own skills and the capabilities of Web technology. He has designed pages that are overly complicated. When you go to one page, you are automatically routed to a subsequent page. The only way you can use the Back key to exit from this mess is if the path by which you entered is recorded in a series of cookies that indicate for each page you were previously there (thus preventing the automatic progress to the next page, the page you are trying to leave). I know of one government agency where the Web designer ran amok; navigating that agency's Web site caused over a dozen cookies to be set for no reason other than allowing the user to backtrack. These should have been memory-only cookies, but instead they were written to the user's hard drive.
• Secure Web pages (e.g.: for viewing your bank account) sometimes use memory-only cookies to support the necessary encryption. The cookie's value might be an encryption or decryption key.
• You are interested in five different stocks, and you frequently want current quotes. You go to YeeHaw and enter the symbols, which means you first had to look up those symbols. This is a real bother. However, YeeHaw allows you to establish a query account. Then, when you enter the symbols for those stocks, the Web page displaying the quotes comes with a cookie containing your account ID. The symbols are entered into YeeHaw's database. The next time you go to YeeHaw for quotes, the quote Web page displays automatically because your request sent the cookie back to identify your query account.

I am quite sure you can see other uses for cookies. On the other hand, there are a number of things a cookie cannot do.

• Cookies cannot execute software on your PC or Mac.
• A cookie for one domain cannot cause cookies for other domains to be read.
• Cookies cannot send your E-mail address to anyone, unless you gave your E-mail address to a Web page that then put the address into the value of a cookie sent with the next page.
• Cookies cannot erase your disc or change your software. (That can be done by downloaded software, which you might not even know was downloaded.)

However, see GeoCities and Yahoo below on how cross-domain cookies can indeed occur and how your E-mail address or other personal information can be compromised.

Why Is Anyone Concerned?

You might not be concerned if a supermarket, gas station, public library, or drug store records how many times you enter their facility. But would you be concerned about someone keeping track of how many times you went into a liquor store? If you are a man, would you want someone else to have a record not only of how many times you went into a drug store but also of how many times you bought an ointment for "jock itch" or condoms (and what brands)? If you are a woman, would you want a record of what brand of pregnancy test you bought for cash, especially when your husband had a vasectomy five years ago?

Using cookies to identify you, Web sites can indeed maintain such records. With dial-up Internet connections, they might not be able to correlate their records with your actual identity, but they can identify the ISP and even the POP through which you connected to the Internet. With dedicated connections (e.g., DSL, cable modem), your actual identity can be determined. Even with a dial-up connection, if you input any identifying information on a Web form, that information can easily be tied to a cookie. Thus, the owner of a Web site can accumulate a profile about your Web-surfing activities and even connect that profile to an actual person — YOU. This is an issue of privacy and controlling information about how you live your own life.

But What Can You Do About Cookies?

First of all, do not set your Web browser to reject or disable cookies. As described above, some memory-only cookies are needed to navigate through complicated Web pages or to use secure Web pages. Often, Web pages that write cookies will not load if you reject cookies. Also, do not set your Web browser to warn you about cookies. You will soon become very annoyed at having to respond to each cookie.

The best solution is to find your cookies file — named cookies.txt on PCs — and set the properties to read-only. Web pages will then think they are setting cookies, but the entries will disappear when you exit your browser. Each time you request an affected Web page, it will be as if you are a first-time visitor. In the meantime, memory-only cookies will not be affected. Indeed, all cookies will then become memory-only, erased when you exit your Web browser. Even then, you might consider exiting and then restarting your browser after sending personal information on a Web form. That way, you have also limited the accumulation of data from memory-only cookies.

To summarize:

• Use a dial-up Internet connection or some other connection that results in a dynamic (changing) IP address. This makes tracking your Web-surfing activities by IP address impossible.
• Make your cookies file read-only. Leave it that way, which will cause all cookies to be memory-only.
• After browsing a particular Web site that you do not want anyone to relate with any other Web site you might browse, terminate your browser and then restart it before browsing any other site. This will cause memory-only cookies to be forgotten, which may be especially important if you enter personal data into a Web form or if you click through to an advertisement on a Web page.

This should prove effective in defeating even DoubleClick's tracking of who views its advertisements across unrelated Web sites.

But what about the cookies that you want? You do get stock quotes from YeeHaw and you frequently request technical help from various software developers. In this case, you should do the following:

• Exit your browser, and be sure it really has terminated. (With Windows, use Ctrl-Alt-Delete to check the Close Program window to see if the browser is still running; wait until it stops.)
• Change the properties of the cookies file so that it is read-write and not read-only. (Note: If you do this before the browser is completely terminated, you risk having unwanted cookies written to your cookies file.)
• Start your browser.
• Go to the Web site you want. Navigate only in that site.
• Exit your browser again, and again be sure it really has terminated. The cookies are written to the file only during termination.
• Change the properties of the cookies file so that it is again read-only.

The next time you request that Web site, its cookies will be sent with the request. You can leave the cookies file read-only until you need a new or replacement cookie written there. (Remember, cookies do have expiration dates, although some expire only after many years.)

A Browser Solution

Newer browsers contain cookie managers. I use SeaMonkey, whose cookie manager has the following features:

• It can disable (prevent) all cookies, disable cookies from Web sites other than the one being browsed, enable all cookies, or selectively enable cookies based on the privacy settings of the Web site being browsed.
• Overriding general controls that disable or enable cookies, it can create a list of sites that are prohibited from setting cookies and sites that are permitted to set cookies.
• Display the contents of a selected cookie.
• Remove selected cookies.

These features are generally found in Gecko-based browsers, including Firefox and Camino.

Other Cookies

Be aware that software other than Web browsers might set cookies, too. For example, RealPlayer sets cookies according to the streaming broadcasts you receive and the advertisements those broadcasts contain. It uses a cookies.txt file that is located in its own directory. While RealPlayer does have an option to suppress the use of cookies, I also set the file to read-only.

Other software may also establish cookies files. The files might not even be named cookies.txt. In some cases, it appears that the files are related to "live update" capabilities that automatically download and install upgrades to the software setting the cookies. (Both for security reasons and also because I want to maintain a log of all updates, I always disable automatic updates.)

GeoCities and Yahoo

I like the stock quotations available through Yahoo. Because I generally want quotes for a specific list of stocks and I don't want to bother remembering and inputting that list every time, I created a personal Yahoo profile and a "portfolio" (a list of stocks). Privacy issues did not concern me because I do not own all the stocks in the portfolio and because I did not enter any specific information about those stocks that I do own (e.g.: numbers of shares, purchase prices). Thus, personal information about my finances would not really be exposed.

Creating my profile and portfolio involved establishing an ID and password. Since I was not concerned about privacy, I allowed cookies to be set so that I would not have to enter the ID and password every time I wanted to see the current quotes for the stocks that interest me. The cookies had expiration dates. I also provided some personal identifying data to Yahoo: my real name, E-mail address, community, and ZIP code. (But I declined to give my street address or phone number.)

One of my hobbies is surfing the Internet. Occasionally, this leads me into personal Web sites created by various individuals at GeoCities. While some of those sites are quite interesting, they can also be "unusual" or "non-standard" to the extent that I really do not want anyone else to know I browse them. I am not concerned about anyone capturing my IP address while I surf Web sites at GeoCities; I have a dial-up Internet connection that gives me a different IP address every time I connect.

Yahoo bought GeoCities in 1999, after which I discovered a serious privacy problem. When my Yahoo cookies expired at the end of that year, the new cookies specified domains as .yahoo.com. This means they would be retrieved not only for finance.yahoo.com but also for www.yahoo.com and any other domain ending in .yahoo.com. In the meantime, the GeoCities server inserted code into its Web pages that caused banners or other Web fragments to be retrieved from Yahoo. In combination with the generalized Yahoo cookie domain, this means that every time I accessed a GeoCities Web site, my Yahoo profile was exposed. This profile contains all the personal data I supplied when I created my profile and portfolio for checking stock prices, contravening my desire to surf GeoCities Web sites anonymously. Although the owners of the GeoCities Web sites might not have access to my profile, Yahoo indeed had such access and could thus track my Web browsing habits.

I would not have discovered this problem if I had not seen my Yahoo ID appear in a welcoming message at the top of a GeoCities Web page. I immediately shut down my browser, opened my cookies.txt file in Wordpad, and deleted all Yahoo entries. Now, whenever I get a stock quote, not only do I have to enter my ID and password, but I also have to remember to sign out. Then, before I surf any Web sites hosted by GeoCities, I shut down Netscape and then restart it to purge any .yahoo.com cookies remaining in memory.

More Information

More information about cookies — including technical details about their structure — is available from the following links:

• Internet Cookies by the U. S. Department of Energy's Computer Incident Advisory Center.
• Cookies FAQ, which has introductory, fundamental, and advanced information on the use of cookies.
• The HTTP cookie entry in Wikipedia.

Information about other links is always welcome.

Last updated 15 August 2008

"Internet" Table of Contents

David Ross home

E-mail