The cookie technology refers to the use of HTTP cookies or web cookies by the websites. A cookie is a piece of text that is sent by a server to a web client, and returned by the client each time it uses that server. Usually, a cookie is a text message that is less than 255 characters long. The cookie technology is used for authentication of website users, session tracking as also for maintaining information about the users.
Why is Cookie Technology Used?
Cookies serve as the means to identify a particular user. Once a user logs in to a website, a cookie can be made to associate with the user's log-in information. For the subsequent visits by that user to the same website, the cookie can let know the website that the user is authenticated. Thus, the user is saved from the monotonous tasks of filling in the login information each time he visits the website.
The second purpose of using the cookie technology is to differentiate between users. The information pertaining to the user and his preferences can be held in the cookies. This makes it possible for websites to provide personalization to their users. Based on the preferences of a particular user, websites personalize the presentation of the website and also its functionality according to user preferences. Many websites offer authenticated users, a facility to customize the web pages and obtain a personalized look and feel of the website.
How Cookies Work
- The transfer of web pages between a server and a browser happens by means of the Hypertext Transfer Protocol (HTTP). When a user types a URL in the address bar of a browser, the browser takes it and sends a request to the server, asking for the web page specified by the user.
- Next, the server sends the page requested by the browser, in the form of an HTTP response. The response is sent as a packet of text that may contain a statement asking the browser to store cookies. This is done by means of a statement, "set-cookie: name = value". The browser is asked to store the value-string in 'name' and return it to the server during any of the further requests made to it.
- During any subsequent request made to the same server, even while requesting a different web page from that server, the browser sends back the cookie value to server. The server identifies this information and fulfills the request, without having the user to perform the authentication process again.
- By means of cookies, websites can track the number of users visiting it. A website maintains user information in its database. It can implement a mechanism of counting the visits of users, frequency with which a particular user visits a website, noting the users' preferences, and storing this information in the website database.
- Some websites allow their users to change the layout and content of the website for a personalized view of the site. The cookie technology has made this possible.
- The technology is also useful for advertisers to track the on-site behavior of users. While keeping the personal information of a visitor confidential, cookies help the advertisers in knowing the web surfing habits of the visitors. Advertisers can promote certain products to certain users based on the information they gather from cookies.
- The very popular e-commerce websites harness this technology to implement shopping carts. When a user selects an item, the item is stored in the site's database. When the user checks out, the website stores information about the items he/she has shopped. This makes it possible for the shopping website to know the user's preferences in shopping. The online shopping mechanism would have been difficult without the use of cookie technology.
- Cookie poisoning is defined as the act of manipulating the contents in the cookie before they are sent to the server. Changing the information contained in the cookies can misguide websites and advertisers. In case a cookie contains transaction information, an attacker can change the value in the cookie causing losses on part of the user or the e-commerce website involved in the transaction. Every site has an independent set of cookies, which another site should not be able to manipulate. The cookie technology is vulnerable to this in case of some browsers.
- Cookies may generate an inconsistent state between the state of the client and the state stored in the cookie. In cases where an operation is undone by clicking on a Back button, or when a page is reloaded, the state stored in the cookie should reflect the corresponding change. The cookie technology lacks the ability to distinguish between two users who use the same user account. Cookies do not distinguish one user from another. They can distinctly identify only the combination of a user account, a browser, and a computer.
- The cookie technology is vulnerable to cookie hijacking. Cookie hijacking refers to interception of information on the cookies by a malicious user. When cookies are sent over the network in unencrypted HTTP sessions, there exists a potential risk of the information on the cookies being stolen.