What are Cookies?
An HTTP cookie or a cookie module is a special text, often encoded, sent by a server to a web browser and then sent back (unchanged) by the browser, every time it accesses that server. Cookies are used for authentication as well as for tracking user behavior; typical applications are storing user preferences and implementing the “shopping cart” system.The term “cookie” is an English word (biscuit, pronunciation: /ˈkuˌki/). In computing, it is derived from the term “magic cookie”, a concept widely used in IT. Generally, the word “cookie” with this meaning is used in other languages too; only in French technical terminology has there been an attempt to translate it with the term témoin (“witness”).Cookies have created concern because they allow the collection of information about user behavior (in principle, which web pages they visit and when). As a result, their use (and the information collected) are subject to legal restrictions in some countries, including the United States and EU countries. “Cookie” techniques have also been criticized for the fact that user identification is not always accurate, and for the fact that they can enable cyber attacks.Most modern browsers allow the user to decide whether or not to accept cookies. However, sites that refuse them will lack certain facilities – for example, in an online store, the shopping cart will no longer be usable if it has been implemented with the help of cookies.
Purpose
Cookies are used by web servers to differentiate users and to react according to their actions within a session consisting of several separate transactions. They were invented to implement a virtual shopping cart: usually, the user first authenticates (login), then browses the site, adds or removes objects from the cart at will, then displays the cart content, asks for the final price calculation, decides to order (or gives up), and finally closes the session (logout).User authentication against the server is another application of cookies; with their help, the server retains the fact that the user has authenticated, and will allow actions specific to authenticated users.Some sites use cookies to allow users to modify how web pages are displayed, according to personal preferences, which are retained even between sessions. In this way, both functionality-related and graphical display aspects of the pages can be modified and retained. For example, Wikipedia allows registered users to change the appearance of pages, and in Google, even unregistered users can choose, for example, how many results are displayed on a page.Cookies are also used to track a user’s activity on a site, or even across multiple sites, in the case of “third-party” cookies or so-called “web bugs”. Tracking within a site is done for the purpose of obtaining usage statistics. In particular, advertising companies track user activity across multiple sites to find out their interests more precisely, thus deciding which ads to send to a particular user at a particular time.
Implementation
Cookies usually contain data meaningless to the user or their browser but can be interpreted by the server. The browser receives them and returns them to the server unchanged, thus introducing a “memory” of past events into the HTTP request, which in itself is timeless (in other words, each request is in principle an isolated event, without any connection to other past or future HTTP requests to the same server). However, by returning a cookie to a server, it can link the current request to previous requests (in which the same server sent the cookie), thus creating a so-called session. In addition to servers, cookies can also be created by web applications running on the server, communicating with clients via HTTP, and written in programming languages such as Java and C# or in server-side scripts.The detailed description of the mechanism suggests that browsers should be able to retain at least 300 cookies of 4 kb each, and at least 20 for each server or internet domain.When creating a cookie, a deletion date can also be specified; otherwise, it will be deleted when the browser is closed. An online store may want to retain the shopping cart content between sessions, so the next time the user visits, they don’t have to search for all the products again. In this case, the store server will create a cookie with a slightly longer deletion term. Only cookies with a long, explicitly specified deletion term will “survive” between sessions, in which case they can be called “persistent”.
Expiration
Cookies expire, and therefore are not sent by the browser to the server under the following conditions:
- At the end of a session (for example, when the browser is closed) if that cookie is not persistent
- If an expiration date was specified and the current date is in the past
- If the expiration date is changed (by the server or script) to a past date
- The browser deletes the cookie at the user’s request
- The third condition allows a server or script to explicitly delete a cookie.
Authentication
Cookies can be used by servers to recognize authenticated users and to modify the pages sent according to their preferences (personalization).
For example:
- The user enters their username and password in the edit fields of a page and sends them to the server
- The server receives the username and password and checks them; if correct, it sends a page confirming this to the user, along with a cookie; also, the server stores the name/cookie pair (or just the cookie)
- Each time a page is accessed on that server, the browser also sends the cookie with the request; the server compares the received cookie with the stored ones, and can decide whether it is an authenticated user or not, sending the appropriate page.
This is the method used by almost all sites.
Page Personalization
Similarly to authentication, the server finds out which user is requesting a page and can send it accordingly, based on previously expressed preferences, which have been retained by the server. Pages can be personalized even for users who do not have an account on the server: simply the preferences are retained within the cookie, and in subsequent requests, sending the cookie, the browser also sends the user’s preferences.For example, Google retains user preferences in a cookie called PREF. This is created with default values the first time the site is accessed. When the user enters the preferences page and chooses something, the server sends a request to modify the cookie, storing the new value in it.
User Tracking
The most commonly used method is as follows:If a request contains no cookie, it is assumed to be the first access to a page on that server; the server creates a cookie with an arbitrary (but unique) value and sends it, along with the requested page;From now on, the browser will receive and send the cookie with the requests; it will send the requested pages, but will retain the name of the requested page, the date and time, as well as the cookie value in a special list.By going through this list, it is possible to find out which pages (and in what order) were visited by a particular user (identified by a certain cookie).
“Third-party” Cookies
Images or other objects contained in a web page may actually be on a different server than the page itself. To display these objects, the browser downloads them from their servers, possibly receiving cookies as well. These are called “third party” if the server that created them is in a different domain than the page server.This phenomenon occurs especially in the case of advertisements. Advertising images are usually stored on the servers of the advertising company, in a different domain than the web page where they are displayed. If the browser accepts cookies, the advertising company can track the user’s activity across multiple sites (on all sites visited that have images from that advertising company). This is done using a unique URL for each site (so the same image displayed on two sites has a different URL) or with the help of the referer field in the HTTP transaction. The same thing can be achieved by interspersing web pages with images invisible to the user, but which are downloaded by the browser.Advertising companies have always denied that this information is used for purposes other than establishing user preferences.Many modern browsers, such as Internet Explorer, Opera, or Mozilla Firefox, allow the user to choose to block “third party” cookies. Version 6 of Internet Explorer also allows an intermediate form of blocking: if third.com sends a cookie along with an image from a page in the first.com domain, the cookie is not sent if an image is needed from the same third.com, but for a document from the other.com domain; however, if any document from the original first.com domain needs an image from third.com, the cookie will be sent.Source:
WikipediaWhat cookies we use
Some of the cookie modules we commonly use are listed below. This list is not comprehensive, but aims to illustrate the main purposes for which we usually set cookies. If you visit one of our websites, the site will set some or all of the following cookies:
[render_cookies_list]