Cookies




Understanding cookies

Some Web sites store information in a small text file, called a "cookie," on your hard disk. Cookies contain information about you and your preferences. For example, if you inquire about a flight schedule at an airline's Web site, the site might create a cookie that contains your itinerary. Or it might only contain a record of which pages within the site you visited, to help the site customize the view for you the next time you visit.

Only the information that you provide, or the choices you make while visiting a Web site, can be stored in a cookie. For example, the site cannot determine your e-mail name unless you choose to type it. Allowing a Web site to create a cookie does not give that or any other site access to the rest of your computer, and only the site that created the cookie can read it.

Internet Explorer is set up to allow the creation of cookies; however, you can specify that you be prompted before a site puts a cookie on your hard disk, so you can choose to allow or disallow the cookie; or you can prevent Internet Explorer from accepting any cookies.

You can specify different settings for different security zones. For example, you might want to allow Web sites to create cookies if they are in your Trusted sites or Local intranet zone, prompt you before creating cookies if they are in your Internet zone, and never allow cookies if they are in your Restricted sites zone.


Details
In an article on Internet privacy in a large, respected newspaper, they defined cookies essentially as this:

Definitions like that are fairly common in the press. The problem is, none of that information is correct. Cookies are not programs, and they cannot run like a program does. Therefore they cannot gather any information on their own. Nor can they collect any personal information about you from your machine. Here is a valid definition of a cookie: If you use Internet Explorer to browse the web, you can see all of the cookies that are stored on your machine. The most common place for them to reside is in a directory called c:\windows\cookies. When I look in that directory on my machine, I find 165 files. Each file is a text file that contains name-value pairs, and there is one file for each web site that has placed cookies on my machine.

You can see in the directory that each of these files is a simple, normal text file. You can see which web site placed the file on your machine by looking at the file name (the information is also stored inside the file). You can open each file up by clicking on it.

For example, I have visited goto.com, and the site has placed a cookie on my machine. The cookie file for goto.com contains the following information:


    UserID    A9A3BECE0563982D    www.goto.com/
What goto.com has done is stored on my machine a single name-value pair. The name of the pair is UserID, and the value is A9A3BECE0563982D. The first time I visited goto.com, the site assigned me a unique ID value and stored it on my machine. [Note that there probably are several other values stored in the file after the three shown above. That is housekeeping information for the browser.]

Amazon.com stores a bit more information on my machine. When I look at the cookie file Amazon has created on my machine, it contains the following:


 session-id-time  954242000  amazon.com/
 session-id  002-4135256-7625846  amazon.com/
 x-main  eKQIfwnxuF7qtmX52x6VWAXh@Ih6Uo5H  amazon.com/
 ubid-main  077-9263437-9645324  amazon.com/
It appears that Amazon stores a main user ID, an ID for each session, and the time the session started on my machine (as well as an x-main value, which could be anything).

The vast majority of sites store just one piece of information -- a user ID -- on your machine. But there really is no limit -- a site can store as many name-value pairs as it likes.

A name-value pair is simply a named piece of data. It is not a program, and it cannot "do" anything. A web site can retrieve only the information that it has placed on your machine. It cannot retrieve information from other cookie files, nor any other information from your machine.


How Does Cookie Data Move?
As you just read, cookie data is simply name-value pairs stored on your hard disk by a Web site. That is all that cookie data is. The Web site can store the data, and later it receives it back. A Web site can only receive the data it has stored on your machine. It cannot look at any other cookie, nor can it look at anything else on your machine.

The data moves in the following manner.:

If you type the URL of a Web site into your browser, your browser sends a request to the Web site for the page. For example, if you type the URL http://www.amazon.com into your browser, your browser will contact Amazon's server and request its home page.

When the browser does this, it will look on your machine for a cookie file that Amazon has set. If it finds an Amazon cookie file, your browser will send all of the name-value pairs in the file to Amazon's server along with the URL. If it finds no cookie file, it will send no cookie data.

Amazon's Web server receives the cookie data and the request for a page. If name-value pairs are received, Amazon can use them.

If no name-value pairs are received, Amazon knows that you have not visited before. The server creates a new ID for you in Amazon's database and then sends name-value pairs to your machine in the header for the Web page it sends. Your machine stores the name-value pairs on your hard disk.

The Web server can change name-value pairs or add new pairs whenever you visit the site and request a page.

There are other pieces of information that the server can send with the name-value pair. One of these is an expiration date. Another is a path (so that the site can associate different cookie values with different parts of the site).

You have control over this process. You can set an option in your browser so that the browser informs you every time a site sends name-value pairs to you. You can then accept or deny the values.


How Do Web Sites Use Cookies?
Cookies evolved because they solve a big problem for the people who implement web sites. In the broadest sense, a cookie allows a site to store state information on your machine. This information lets a web site remember what state your browser is in. An ID is one simple piece of state information -- if an ID exists on your machine, the site knows that you have visited before. The state is, "Your browser has visited the site at least one time", and the site knows your ID from that visit.

Web sites use cookies in many different ways. Here are some of the most common examples: