User:Bad romance g/ FAQ

1. INTRODUCTION

Cookies are a very important method for maintaining state on the Web. "State" in this case refers to an application's ability to work interactively with a user, remembering all data since the application started, and differentiating between users and their individual data sets.

An analogy I like to use is a laundry cleaner's shop. You drop something off, and get a ticket. When you return with the ticket, you get your clothes back. If you don't have the ticket, then the laundry man doesn't know which clothes are yours. In fact, he won't be able to tell whether you are there to pick up clothes, or a brand new customer. As such, the ticket is critical to maintaining state between you and the laundry man.

Unfortunately, HTTP is a "stateless" protocol. This means that each visit to a site (or even clicks within a site) is seen by the server as the first visit by the user. In essence, the server "forgets" everything after each request, unless it can somehow mark a visitor (that is, hand him a "laundry ticket") to help it remember. Cookies can accomplish this.

1.1 What is a Cookie?

A cookie is a text-only string that gets entered into the memory of your browser. This value of a variable that a website sets. If the lifetime of this value is set to be longer than the time you spend at that site, then this string is saved to file for future reference.

1.2 Where did the term cookies come from?

According to an article written by Paul Bonner for Builder.Com on 11/18/1997:

"Lou Montulli, currently the protocols manager in Netscape's client product division, wrote the cookies specification for Navigator 1.0, the first browser to use the technology. Montulli says there's nothing particularly amusing about the origin of the name: 'A cookie is a well-known computer science term that is used when describing an opaque piece of data held by an intermediary. The term fits the usage precisely; it's just not a well-known term outside of computer science circles.'"

1.3 Why do sites use Cookies?

There are many reasons a given site would wish to use cookies. These range from the ability to personalize information (like on My Yahoo or Excite), or to help with on-line sales/services (like on Amazon Books or eBay), or simply for the purposes of collecting demographic information (like DoubleClick). Cookies also provide programmers with a quick and convenient means of keeping site content fresh and relevant to the user's interests. The newest servers use cookies to help with back-end interaction as well, which can improve the utility of a site by being able to securely store any personal data that the user has shared with a site (to help with quick logins on your favorite sites, for example).

1.4 Where Can I Get More Information?

Cookie Central is dedicated to answering questions about cookies. Feel free to look around.

There's a great article concerning cookies on Marshall Brain's "How Stuff Works". It goes even deeper than this FAQ does, especially in the realm of public opinion. Worth a look!

The World Wide Web Consortium has an excellent FAQ to answer the majority of Internet and Web-related questions. You can read their topic: "Do 'Cookies' Pose any Security Risks?"

In addition, there are an abundance of resources on the Internet that can help you find answers to your cookie questions. Conveniently, Yahoo has a great listing of them. I encourage you to stop by and check the list out!

[Back to Top]

2. GENERAL QUESTIONS/MISCELLANEOUS

2.1 Introduction

This section is devoted to general questions on cookies and their usage.

2.2 Can I delete cookies?

Yes. Whether you use Internet Explorer or Netscape, your cookies are saved to a simple text file that you can delete as you please.

In order to do this properly, remember to close your browser first. This is because all your cookies are held in memory until you close your browser. So, if you delete the file with your browser open, it will make a new file when you close it, and your cookies will be back.

Remember that deleting your cookie file entirely will cause you to "start from scratch" with every web site you usually visit. So, it may be preferable to open the cookies.txt file (in the case of Netscape) and remove only the entries you don't like, or go to the cookies folder (in the case of IE) and delete the files matching servers you don't want.

2.3 How do I set my browser to reject cookies?

Both Internet Explorer and Netscape allow some level of cookie verification. They both have menu options that allow you to accept all, some, or none of your incoming cookies. In addition, the "warn before accepting" feature is present in both, if you want to screen your incoming cookies.

In Netscape, go to the Edit/Preferences/Advanced menu. Your cookie choices can be changed there.

Microsoft has changed their approach to cookies over the last 3 versions of their browser. This is a reflection of how cookies have been thrust into the limelight of privacy on the Internet:

In IE 6.0, go to the Tools/Internet Options/Privacy menu. This menu allows you to select how discriminating the browser will be when accepting cookies, based on two factors -- (1) the source of the cookie, and (2) whether the source has a "privacy policy." There are also features for the advanced user, if you'd like to have a greater control over cookies. [more info] In IE 5.0, go to the Tools/Internet Options/Security menu. In there, you can choose the security level for 4 different browsing conditions: Internet Sites, Local Sites, "Trusted" Sites, and Restricted Sites. If you select "Internet," and click on Custom Level, you'll get a dialog box where you can accept all, warn before accepting, or reject all cookies. [more info] In IE 4.0, go to the View/Internet Options/Advanced menu. There you can accept all, warn before accepting, or reject all.

Once a cookie is rejected, it is thrown out and not saved to memory or disk. Don't forget, though, that servers will keep looking for the cookie even if you have discarded it and may try to replace it as you surf around.

This fact is almost comical in nature. Essentially, by removing the way to tell the server to not send cookies, it can't remember to not send you any cookies the next time! 2.4 Are Cookies Dangerous to My Computer?

NO. A cookie is a simple piece of text. It is not a program, or a plug-in. It cannot be used as a virus, and it cannot access your hard drive. Your browser (not a programmer) can save cookie values to your hard disk if it needs to, but that is the limit of the effect on your system.

2.5 Will cookies fill up my hard drive?

Both Netscape and Microsoft have measures in place that limit the number of cookies that will be saved on your hard drive at one time.

Both Internet Explorer and Netscape conform to the RFC 2109 limitations on your total cookie count to 300 (this includes a limit of 20 cookies per individual domain). If you exceed this, the browser will discard your least-used cookies to make room for the new ones.

Microsoft saves cookies into the "Temporary Internet Files" folder, a system folder that you can set the maximum size of (the default is 2% of your hard drive).

In any event, remember that most cookie files are 4KB or smaller, so you would need about a million cookies to fill up a 4GB drive. This is incredibly unlikely.

2.6 Are Cookies a Threat to My Privacy?

The sad truth is that revealing any kind of personal information opens the door for that information to be spread.

Consider the growing trend of technology conveniences in our lives. We use "frequent buyer" cards at supermarkets and gas stations. We place electronic tags on our cars to pay tolls faster and easier. We let banks pay our bills for us automatically each month without checks.

While each of these technologies (and others like them) have made our lives more convenient, each time we use them exposes us to a loss of privacy. Stores know what foods you eat. Gas stations know how much you spend on gas per fill-up. Turnpike operators know how fast you drive on their highways. Banks know how you spend your money each month.

It's the same with cookies. In fact, one may argue that cookies in the long-run will be less damaging to privacy efforts than those technologies described above. If you're going to single-out cookies as your sole vulnerability to personal privacy, you should re-examine how you live your daily life.

The never-ending ethical debate associated with these facts shall be left to other forums. However, it is wise to consider carefully the information you collect and share over the Internet.

2.7 Sites are telling me I need to turn on cookies, but they are on. What's wrong?

There are three likely possibilities for problems like this. Firstly, the site you are visiting may be detecting cookies improperly. As a result, it may appear to the site that you are rejecting cookies when in fact you are not.

Another possibility is that you may be running software that interferes with cookie usage. There are many filtering and blocking software packages available for Internet users these days, and many of them also filter cookies. If you are running software like this, then your computer may not receive or send cookies. This will cause sites you visit to assume you are not accepting cookies.

Finally, your machine may be behind a firewall or proxy server that prevents cookie transmission. This is most likely in a corporate environment. So, regardless of how your browser is set, cookies won't be sent or received by your browser. Since the cookies aren't making it through to your browser, the Web Site will assume you personally aren't accepting them.

2.8 I deleted my cookies, and I can't log-on to my favorite site anymore. What can I do?

Many sites use a cookie to keep track of your settings on their servers, and to help you log in to their site. If you lose your cookie, that site cannot recall your settings for you to use.

If this happens to you, the best thing you can do is contact that site's webmaster or customer service department.

2.9 How did I get a cookie from doubleclick? I've never been there!

In section 3.3, we'll see that a server cannot set a cookie for a domain that it isn't a member of. However, almost every Web user has gotten a cookie from "ad.doubleclick.net" at one time or another, without ever visiting there. DoubleClick and other advertisers have employed a clever solution that enables them to track users and serve media content without violating this rule.

Most sites on the Internet do not keep their advertisements locally. Rather, they subscribe to a media service that places those ads for them. This is accomplished via a simple HTML call to the media service. When a page is requested, it is assembled through many HTTP requests by the browser. First, there is a request for the HTML itself. Then, everything the HTML needs is requested, including images, sounds, and plug-ins.

The call to the media service is an HTTP request for an image. Once the request is made to the media service, it can return more than just an ad. It can also return a cookie. Or, if is has given the user a cookie previously, it can read that first, and check to see what ad to send. The net result is that the user gets a cookie from the media service without ever having visited it.

This usage of cookies is the most controversial, and has led to the polarized opinions on cookies, privacy, and the Internet.

2.10 I looked at my Internet Explorer cookies, and they had my username on them! Can servers see my username?

Because Windows systems allow more than one user to login and use programs, Microsoft had to come up with a way to keep each user's cookies separate on a given machine. This can be common in workplaces, where a single machine is shared by many employees.

This is accomplished by appending the username to the cookie file name. This way, both Jane Doe and Joe Smith can get cookies from coolsite.com and they don't get over-written. Also, this stop's Jane from using Joe's cookies while she's surfing, since the browser will only use her cookies when she is logged in. That is, the cookie file:

jdoe@coolsite.txt Contains Jane Doe's cookie for coolsite.com. If anyone else logs-in, then this cookie is not used.

This is the only reason that the username is part of the cookie file name. The username does not get sent to the server with the cookie data.

2.11 There are two extra files in my Cookies folder called Mm256.dat and Mm2048.dat. What are they?

You can read more about this on Microsoft's