If I logged onto, say, the SDMB while connected directly to my cable modem, then went to somewhere completely different with WiFi and surfed the SDMB there, what happens, password-wise? Does the cookie contain my password, or is it just telling the server that I gave a legit password at some point in the cookie’s lifetime?
Your cookies are stored on your computer by your browser, and have nothing to do with where you are or how you connect to the Internet. You can take your laptop to Tangiers and your cookies will be intact.
The nature of what is stored in a cookie depends on the specifics of the web application being used. Your cookies should not contain cleartext passwords, but there are legions of idiotic programmers in the world. Generally, a login cookie contains a unique session identifier which is associated with state information stored on the server.
Okay, then, is there any way to determine said nature on my end?
If you’re using Firefox, go to Preferences -> Privacy and click on Show Cookies. You can then look at all the cookies you have and what’s stored in them.
If you have the firebug extension for firefox or similar tools, you can inspect the HTTP headers your browser sends out for each request. There is a Cookie: header with the name and value of all cookies for the requested site.
Whether or not you can find anything interesting in the value, I don’t know. Best practise for site developers is to not use cookies to store anything that’s sensitive or needs to be “untamperable” by the user, which is where “sessions” come in. Basically, a visit to a site will initialize a random session key which is stored in the cookie. Then all relevant data about the session, like user identity etc is stored on the server, and can be retrieved and modified by using the session key.
Cookies are very poor places to put or store passwords. I don’t know any site that does this anymore.
Usually a cookie will assign you a session ID. Then this session ID reads the page and directs you to a database that is secured and the database has your password, usually encrypted.
The cookie on your computer now contains a session ID and every page you go to on the site, the first thing the webpage does is say “Does this user have a valid cookie, check session ID”. Then the webpage looks at the session ID and it says yes or no, to whether you still have password.
Websites use such languages as PHP (advantage free) or ASP (microsoft) or CFM (Coldfusion) or other scripting language to instruct their webpages to read the database.