Why are (computer) cookies so evil?

A lot of peple i know disable cookies on their computer and i was wondering why they’re so evil and why people are unhappy with sites demanding cookies be enabled. What can be found out by the people who run the sites?

I’m guessing that it’s probably got something to with advertising - being able to track a person’s site visits mean that sites can target ads more effectively? But why is this terrible, apart from benefitting evil capitalists ;)?

Should i be disabling my cookies? Am i going to die a horrible death by not disabling them? Should i run for the hills?

[sub]falling over under the weight of excess question marks[/sub]

Fran

Like anything else, cookies can be used for good or for evil.

Most are benign. They store a tiny bit of information on your hard drive (The Straight Dope, for instance, stores your username and password) to make surfing more convenient. They are essential for any site that needs to keep track of what you’re doing (like an online store – when you put an item into your shopping cart, it’s stored as a cookie so you don’t have to reenter it). I once set up a web page that set a cookie so it kept track of how many times you visited (Hi! You’ve been here 6 times!).

It is, however, possible for an evil webmaster to design a cookie that keeps track of your browsing or other data. The danger is real, though a bit overstated. But on the Internet, there is no such thing as perfect security.

I don’t turn off cookies – they are just too useful to do without. If you’re worried, get cookie manager software so you know exactly what is on your machine.

They are mostly harmless.

I don’t like the idea that anyone here at work, or even friends at home, can look through the cookie file to see what sites I have been visiting.

Overall, they are nice to have so I don’t have them turned off.

I’m one of those paranoid types- I think that, generally, dropping semipermanent imformation onto your hard drive is bad unless 1. There’s a valid reason to do it and 2. You are aware of and have approved or requested the cookie. Unfortunately, most websites that use cookies don’t think of it this way- the vast majority are trying to use your computer to track various info on your surfing habits without even informing you, let alone asking for your consent. Note the bolding- If you have bought and paid for a computer, it’s processing power is yours alone, and shouldn’t be used surreptitiously by any entity whose website you visit.

Now, I’ll grant you that the actual amount of processing power used to recieve/store/resend cookies is small, but that’s just because they’re very efficient. The important thing here is the principle.

Of course, since there are plenty of legitimate uses for cookies out there, I don’t turn cookies off completely myself. Instead, I set my netscape preferences to “Warn me before accepting a cookie” under Edit>Preferences>Advanced;
and manually disallow the vast majority of cookies that seem to just be counting which advertisement I’ve seen. I also edit my cookie file everytime I go offline, so there isn’t anything in it. It’s more work, sure, but like I said, I’m paranoid, and it’s worth it.

Remember, just because you’re paranoid, that doesn’t mean they aren’t out to get you :stuck_out_tongue:

It’s always seemed to me that it’s rude to stand behind someone and read their newspaper without at least asking first.
The same applies to people that assume they have the right to monitor my browsing habits or use up space on my hard drive.

Yeah, but it’s not like Site X’s staff is going to say

No, it really doesn’t work like that. Most sites that use cookies have way too many visitors to keep track of where they have all been, even if keeping track of where they have been is possible.

So, they’re not reading your newspaper behind your back, just doing a count of how many copies of that particular newspaper were sold.

Most web sites that use cookies just need to keep track of your use at that site for your own convenience. Like shopping carts at retail sites, or our own SDMB to remember when you were here last. A site can’t put personal information about you in a cookie, unless you’ve already given it that data.

An example is once when I went to the Columbia Hospital’s web site. I had told my browser to notify me when cookies were being set. The web page had a link to send someone “virtual flowers,” and you would tell it the e-mail address of the recipient, and my own e-mail address. Then I saw that the web site was putting a cookie on my computer with my own e-mail address, so that it would know who I was from then on. This is a sneaky use of cookies, but nevertheless, it was just information that I had given them.

Cookies were designed to keep one site from being able to see the cookies set by another site. Your browser is supposed to send only cookies for a specific site when you request the info from that site. (IE has a bug, that a malicious web site can read a cookie from any domain).

Then several sites started cooperating with services such as DoubleClick. It would work like this. You would sign on to a boating supplies site and order from them. They would also have an image on their site served from DoubleClick, which was unique to you (a unique file name, which generated a standard picture). DoubleClick and the boating supply store would cooperate, so that they would both know that you like boats. They might also know your name, address, and credit card info if you bought anything. Then you visit a porn site which also cooperates with DoubleClick (actually, I don’t know if they had porn sites as clients, I’m just illustrating), and the porn site knows you like boats, so might offer to show you pictures of naked chicks on boats. They might also know your name, etc.

This use of cookies is what generated a lot of controversy a couple of years ago.

Does this mean I can tell exactly what information is in the cookies? That would be fascinating. Any recommendations?

Online, or offline, I tend to like my privacy. I use guidescope. It’s free, and easy to install. Been running it a couple of months now. No complaints.

I messed that up. Try this link:

http://www.guidescope.com/home/

The cookies themselves are text files stored on your hard drive. With MSIE, they can be found in C:\windows\cookies. All you have to do is click on one to see what’s in it. Of course, a lot of it is mysterious code, known only to the website.

Analog X’s Cookie Wall works great.

http://www.analogx.com/contents/download/network/cookie.htm

With Netscape, there is a single file, cookies.txt, which is plain text, so it’s even easier to look at than IE’s.

The cookie contents will be a name/value pair, the path and domain the cookie applies to, the expiration date, and whether it is a “secure cookie” to be sent only on a secure connection (SSL). In the cookies.txt file, the path is the first column, and the name/value pair is the last two.

Almost all cookies will simply be identifiers to look up your information kept on the server site, though there will be some exceptions. When people say that cookies are used to store information like your order history or shopping cart on your computer, it’s a bit of a misstatement. Cookies are severely limited in number and size - any massive information they keep about you will be on their server, looked up by the ID you send in with the cookie.

Most of the ID’s will reflect some mechanism to keep them unique as well as making them hard to forge, which is why they look so cryptic. If I assign an ID like UY91104D-F5TR-78Y5-5RT6-0786543465B0 based, in part, on random numbers, people are highly unlikely to guess a legitimate one.

The straight dope boards actually appear to use 4 - bblastactivity, bblastvisit, bbuserid, and bbpassword. They keep those dates in cookies rather than maintaining it on the server, apparently. Your userid is publically visible on the URL for anyone who looks up your profile, so they apparently also store a non-publicized password in a cookie as well, which amounts to the same thing as having another ID which they didn’t publish. They presumably check that password when you do something like post, to be sure it’s not somebody masquerading as you by diddling with their cookie.

You should also be aware of the distinction between permanent and “session” cookies. Your browser may allow you to handle them differently. A session cookie is kept solely in memory, and goes away when you close the browser. This allows a site to keep track of what you are doing during a particular session - for instance, allowing them to keep track of the current contents of your shopping cart without retaining it for future shopping.

Again, the session cookie itself will usually simply be an identifier allowing the application on the server side to keep track of pertinant information stored on the server. Most application servers provide some sort of session service to the application developer which will probably be implemented by a session cookie (session tracked with a file-based cookie is a BAD idea, because the clocks aren’t synched between the two machines, and you cannot reliably produce a cookie to expire, say, in half an hour, and it also forces you to keep resetting the cookie. That doesn’t stop some servers from having that option. It’s also a misdesign that cookies are set with absolute expiration dates rather than timeout intervals, but that’s the way it is).

Excuse me. PREVIEW! In the netscape file, the DOMAIN is the first column. Path will almost always be “/”. I actually know of a very annoying bug in the Netscape cookie implementation that persists for this reason:

Browsers only keep a fixed number of cookies, and eventually start throwing some out. Netscape maintains this file sorted by time of last update, so they can simply pitch the last used one, EXCEPT that they seem to sort first by PATH!!! The effect this has is that if a site sets a cookie that actually has a non-default path, it becomes the first to be pitched from the file when it fills up, even if it was updated fairly recently.