A lot of peple i know disable cookies on their computer and i was wondering why they’re so evil and why people are unhappy with sites demanding cookies be enabled. What can be found out by the people who run the sites?
I’m guessing that it’s probably got something to with advertising - being able to track a person’s site visits mean that sites can target ads more effectively? But why is this terrible, apart from benefitting evil capitalists ;)?
Should i be disabling my cookies? Am i going to die a horrible death by not disabling them? Should i run for the hills?
[sub]falling over under the weight of excess question marks[/sub]
Like anything else, cookies can be used for good or for evil.
Most are benign. They store a tiny bit of information on your hard drive (The Straight Dope, for instance, stores your username and password) to make surfing more convenient. They are essential for any site that needs to keep track of what you’re doing (like an online store – when you put an item into your shopping cart, it’s stored as a cookie so you don’t have to reenter it). I once set up a web page that set a cookie so it kept track of how many times you visited (Hi! You’ve been here 6 times!).
It is, however, possible for an evil webmaster to design a cookie that keeps track of your browsing or other data. The danger is real, though a bit overstated. But on the Internet, there is no such thing as perfect security.
I don’t turn off cookies – they are just too useful to do without. If you’re worried, get cookie manager software so you know exactly what is on your machine.
Now, I’ll grant you that the actual amount of processing power used to recieve/store/resend cookies is small, but that’s just because they’re very efficient. The important thing here is the principle.
Of course, since there are plenty of legitimate uses for cookies out there, I don’t turn cookies off completely myself. Instead, I set my netscape preferences to “Warn me before accepting a cookie” under Edit>Preferences>Advanced;
and manually disallow the vast majority of cookies that seem to just be counting which advertisement I’ve seen. I also edit my cookie file everytime I go offline, so there isn’t anything in it. It’s more work, sure, but like I said, I’m paranoid, and it’s worth it.
Remember, just because you’re paranoid, that doesn’t mean they aren’t out to get you
It’s always seemed to me that it’s rude to stand behind someone and read their newspaper without at least asking first.
The same applies to people that assume they have the right to monitor my browsing habits or use up space on my hard drive.
Cookies were designed to keep one site from being able to see the cookies set by another site. Your browser is supposed to send only cookies for a specific site when you request the info from that site. (IE has a bug, that a malicious web site can read a cookie from any domain).
Then several sites started cooperating with services such as DoubleClick. It would work like this. You would sign on to a boating supplies site and order from them. They would also have an image on their site served from DoubleClick, which was unique to you (a unique file name, which generated a standard picture). DoubleClick and the boating supply store would cooperate, so that they would both know that you like boats. They might also know your name, address, and credit card info if you bought anything. Then you visit a porn site which also cooperates with DoubleClick (actually, I don’t know if they had porn sites as clients, I’m just illustrating), and the porn site knows you like boats, so might offer to show you pictures of naked chicks on boats. They might also know your name, etc.
The cookies themselves are text files stored on your hard drive. With MSIE, they can be found in C:\windows\cookies. All you have to do is click on one to see what’s in it. Of course, a lot of it is mysterious code, known only to the website.
With Netscape, there is a single file, cookies.txt, which is plain text, so it’s even easier to look at than IE’s.
The cookie contents will be a name/value pair, the path and domain the cookie applies to, the expiration date, and whether it is a “secure cookie” to be sent only on a secure connection (SSL). In the cookies.txt file, the path is the first column, and the name/value pair is the last two.
Almost all cookies will simply be identifiers to look up your information kept on the server site, though there will be some exceptions. When people say that cookies are used to store information like your order history or shopping cart on your computer, it’s a bit of a misstatement. Cookies are severely limited in number and size - any massive information they keep about you will be on their server, looked up by the ID you send in with the cookie.
Most of the ID’s will reflect some mechanism to keep them unique as well as making them hard to forge, which is why they look so cryptic. If I assign an ID like UY91104D-F5TR-78Y5-5RT6-0786543465B0 based, in part, on random numbers, people are highly unlikely to guess a legitimate one.
The straight dope boards actually appear to use 4 - bblastactivity, bblastvisit, bbuserid, and bbpassword. They keep those dates in cookies rather than maintaining it on the server, apparently. Your userid is publically visible on the URL for anyone who looks up your profile, so they apparently also store a non-publicized password in a cookie as well, which amounts to the same thing as having another ID which they didn’t publish. They presumably check that password when you do something like post, to be sure it’s not somebody masquerading as you by diddling with their cookie.
You should also be aware of the distinction between permanent and “session” cookies. Your browser may allow you to handle them differently. A session cookie is kept solely in memory, and goes away when you close the browser. This allows a site to keep track of what you are doing during a particular session - for instance, allowing them to keep track of the current contents of your shopping cart without retaining it for future shopping.
Again, the session cookie itself will usually simply be an identifier allowing the application on the server side to keep track of pertinant information stored on the server. Most application servers provide some sort of session service to the application developer which will probably be implemented by a session cookie (session tracked with a file-based cookie is a BAD idea, because the clocks aren’t synched between the two machines, and you cannot reliably produce a cookie to expire, say, in half an hour, and it also forces you to keep resetting the cookie. That doesn’t stop some servers from having that option. It’s also a misdesign that cookies are set with absolute expiration dates rather than timeout intervals, but that’s the way it is).
Excuse me. PREVIEW! In the netscape file, the DOMAIN is the first column. Path will almost always be “/”. I actually know of a very annoying bug in the Netscape cookie implementation that persists for this reason:
Browsers only keep a fixed number of cookies, and eventually start throwing some out. Netscape maintains this file sorted by time of last update, so they can simply pitch the last used one, EXCEPT that they seem to sort first by PATH!!! The effect this has is that if a site sets a cookie that actually has a non-default path, it becomes the first to be pitched from the file when it fills up, even if it was updated fairly recently.