wiredsafety.org is the world's largest online safety and help group

Cookies and privacy

There has been a lot of concern on the Internet about cookies and the threat they pose to privacy. By the time you have finished this article, you should be better informed about cookies.

What are Cookies?

A cookie is a small piece of data that a Web server has asked your Web browser to keep track of. The cookie has the name of the piece of data, and the data itself. The Web server also tells your browser who can see the cookie, and how long it should remember the data.

All the fuss is about a single line of data that comes back from the server, in the same group of lines that tells if this is an html document, and the status of the request.

Some cookies do not have any date or time information on them. This means that they will not be written to disk, and will expire as soon as you close your Web browser.

If the cookie has an expiration date, the cookie and its related information will be stored on your hard disk, until the expiration date has passed. If no expiration date is given, your Web browser will not write the information to disk, and as soon as you close the browser, the data is forgotten.

What your Web browser is saying about you

When you make any request on the Internet your Web browser tells the Web server a great deal about your computer. Below is the exact text of every piece of information that a program on a Web server has:

SERVER_SOFTWARE = Apache/1.3.0 (Unix) PHP/3.0
GATEWAY_INTERFACE = CGI/1.1
DOCUMENT_ROOT = /usr/local/apache/htdocs
REMOTE_ADDR = 192.168.3.1
SERVER_PROTOCOL = HTTP/1.0
REQUEST_METHOD = GET
QUERY_STRING =
HTTP_USER_AGENT = Mozilla/4.5 [en] (X11; I; Linux 2.0.34 i586)
PATH = /sbin:/usr/sbin:/bin:/usr/bin
HTTP_CONNECTION = Keep-Alive
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
REMOTE_PORT = 11816
HTTP_ACCEPT_LANGUAGE = en
SCRIPT_NAME = /cgi-bin/printenv
HTTP_ACCEPT_ENCODING = gzip
SCRIPT_FILENAME = /usr/local/apache/cgi-bin/printenv
SERVER_NAME = backroom.obrienscafe.com
REQUEST_URI = /cgi-bin/printenv
HTTP_ACCEPT_CHARSET = iso-8859-1,*,utf-8
HTTP_COOKIE = userno=921900478
SERVER_PORT = 80
HTTP_HOST = backroom.obrienscafe.com
SERVER_ADMIN = clay@dowling.tcimet.net

The pieces of information that tell the most about you are HTTP_USER_AGENT, HTTP_ACCEPT, and REMOTE_ADDR. The User Agent tells what kind of computer you have (i586), what operating system you are using (Linux 2.0.34), and what Web browser you are using (Netscape 4.5 indicated by Mozilla/4.5).

The REMOTE_ADDRESS is the IP number of the system you are calling from. This can often be associated with a specific geographic region, and can almost always be tracked to a specific Internet Service Provider. One of the more interesting uses I've seen this put to is geographic targeting for advertisements. One intrepid advertiser used it to make sure that the theater advertisement I saw was for the theater just up the road from my office.

HTTP_ACCEPT tells the server what kind of data the Web browser can deal with besides the default types of text/html and text/plain. Well-behaved programs can use this to make sure that they send in a format the recipient can use.

In the list you will see one e-mail address, in the variable SERVER_ADMIN. This is not the address of the person who made the request. This is the person who should get mail if the Web server is having problems.

How programmers use cookies

When good programmers write a Web application, they minimize the number of cookies that need to be sent. For instance, the example above sends only one cookie, SessionID. If it is necessary to track any further information, such as what display options a user has selected, or what menu a user is currently looking at, that data can be stored in a database, associated with a users SessionID. The data can be retrieved by the programmer at any time instead of passing it around in cookies or on Web forms all the time.

Other programmers will often pass several cookies back and forth, to track multiple variables. This is because they either do not have access to database technology that makes the single-cookie method practical, or they have chosen not to take advantage of it to maintain short-term data.

Another common use is to track how users move through a Web site, to see if site navigation has been built properly, and to see what sections are the most popular.

How you should respond

Most browsers give you the option to choose how you want to handle cookies. You can opt never to accept a cookie, to be warned of cookies, or to always accept cookies. Some browsers even allow you to choose the Web sites that you'll always accept cookies from.

The chief hazard is that if somebody else got access to your hard drive, they could see that you'd been browsing through books at Amazon.com, reading back issues of Playboy, or reading technical articles about Linux. In this scenario, access to your cookies should be the least of your worries, since somebody with access to your hard disk can probably get into far more interesting information.

How you deal with cookies is a matter of personal choice.

[1] [2] [3]