HTTP Cookie

3 mins read

When you open a website, you make a connection to a server with a request to send you data. The server then checks the semantics of the request that you sent and if everything is alright, then the server then sends you required data. But there might be situation when data needs to be maintained between more than one request. This is possible through a HTTP Cookie which stores some stateful information between multiple requests.

It may happen that you visit a website for shopping some items and add like ten items to your shopping cart. Now, if you close your browser accidentally before checking out of the online shopping store, you will have to add all those ten items again. But if the website saves a small token (called an HTTP Cookie) on your computer whenever you request for data this problem can be sorted out.

Communication between a computer and server for the first time.
Communication between a computer and server for the first time.

So whenever you add and item to your shopping cart and the website shows you “Item added to shopping cart” message, it will also save the list of all items in your shopping cart in a cookie. Thus, the next time you open the website, your browser will automatically send this cookie to the sever along with the request to send you data and the server will process the contents of the cookie and automatically add those ten items to your shopping cart.

Subsequent communication between a computer and server.
Subsequent communication between a computer and server.

Another important use of cookies is to check whether a user is logged in a system or not. This is done by storing some data in the cookie which will let the system know that the user is logged into the system.

Some of the characteristics of cookies are:

  1. Usually, the data stored in cookies is not encrypted.
  2. A web browser may place a limit on how many cookies can exist for a particular website.
  3. Cookies are domain specific, i.e. a website named A cannot read cookies of another website B.
  4. Every web browser stores its cookies at a different location.
  5. Web browsers may limit the amount of data that can be stored in a cookie.
  6. A user may be able to delete or edit cookies through a web browser or another software.

Some of the types of cookies are as follows:

  1. Session cookie – This cookie exists while the user is navigating the website and gets deleted when the user exits the website. Thus, this cookie tracks one session of a user on a particular website.
  2. Persistent cookie – This cookie expires on a particular date and time or after some duration of time.
  3. Secure cookie – Normal cookies when transmitted can be hijacked by hackers by advanced techniques like sniffing your internet traffic. This will reveal the contents of the cookie to the hacker. Secure cookies avoid this issue since they are transmitted by using an encrypted connection (HTTPS)
  4. Third party cookie – If you are browsing a website named A and it stores cookies for another website B, then A is storing a third party cookie on your system.

Some of the uses of cookies are:

  1. A cookie can be used to store the state of the information of the website with respect to the user and use this data for further requests too (e.g. how many items the user has in his shopping cart).
  2. A website may use cookies to keep a count of unique visitors by assigning a unique ID for every visitor.
  3. Cookies can be used to analyse the behaviour of the user by tracking whatever he visits on a website.
  4. A website may store preferences and settings of the user in cookies.

The biggest problem with cookies is that since they store stateful information, if a hacker is able to get access to them, he may be able to access all your personal data stored on the website whose cookie was stolen. Since many websites store session information including a secret token for knowing that the user is logged in to the website, if such data is stolen by a hacker, he may pretend to be you by sending that same cookie to the server. This is called Session Hijacking and is possible by sniffing internet traffic or by guessing session information when it is predictable in nature. Besides, if a hacker is able to set the data for the user in a cookie, the hacker can impersonate as genuine user by using the same data in a cookie himself.

For Wikipedia entry on HTTP Cookie, click here.

For more posts on Internet, click here.

For more posts in The Cyber Cops project, click here.