Cisco Logo


Security

This month marks the 63rd anniversary of the publishing of the novel Nineteen Eighty-Four, it might be interesting to take a look at what is currently the primary method used for tracking on the Internet, the Browser Cookie. Browser cookies are a subject with almost as much misinformation floating around as there is correct information.

History of Cookies

The need for browser cookies (or just cookies) came about because of the stateless nature of the HTTP protocol. Netscape (remember them?) was developing an on-line shopping application for a client and they needed a way to keep a customer associated with their shopping cart. Nothing built into HTTP could maintain where on a website a user was currently browsing or what items were currently placed into their shopping cart, so that ability needed to be invented. This issue was solved with the addition of browser cookies. Browser cookies are small pieces of data in the form of attribute value pairs or name value pairs that a web server can send to an Internet browser, which the browser then stores and will send back to the web server as part of subsequent web requests. That piece of data can be associated with an entry in the website’s database and associated with the user’s browsing sessions.

How They’re Used Today

These attribute value pairs may be seemingly random strings of data, they could be user IDs in either a hashed or cleartext format, or they could be almost any other piece of data that the administrator behind the website wished to assign to that particular browser during that particular session. They have no meaning or relevance to any website (we’ll ignore third-party cookies for the time being) other than the website that sent them to the browser. A cookie might have an expiration time associated with it. A cookie that expires with the current session is called a session cookie, one that persists past the current session is known as (surprise!) a persistent cookie. If it lasts past the current session, the next time that browser instance visits the website (assuming the user has not deleted the cookie) it will dutifully report the cookie back to the website, linking any previous browsing actions with the current browsing session. A cookie can also be recreated via an application such as Shockwave Flash or HTML5. These cookies live on after they have been deleted and their deletion is detected. It is a manual process to remove them, usually accomplished by deleting a script. One of the misconceptions surrounding cookies is that they collect information about you. Cookies don’t actually collect anything. A user’s browser is what actually does the collecting, and based on that collecting, a website can develop a profile of the user behind the browser.

Putting a Limit on Cookies

For users concerned with on-line privacy, limiting cookies is one of the primary steps that a user can take to allay those concerns. One of the choices your browser has when receiving cookies from websites is whether or not to accept cookies for third-party websites. These are cookies that are set with a domain that is different than the domain of the site being visited and visible in the browser’s address window. Because they can develop and report a browsing history to those third-parties, the acceptance of third-party cookies should always be disabled.

Another step users can take is to limit cookie collection based on domain names or IP addresses. Modern browsers have the ability to limit and delete cookies in the browser preference settings, usually found under the browser’s privacy settings section. By viewing the cookies already present, users can get an idea about the cookies that they may want to reject. If there are websites that a user wishes to permanently bar from setting cookies, these domains can be entered and cookies from those domains will be ignored.

Later versions of browsers have a Do Not Track button. The Do Not Track button on browsers sends a message back to the web server that it is your preference to not have personal information collected about your visit. It is up to the web server to actually honor that request. Earlier versions of web servers do not honor that request since they do not know about the Do Not Track button. Later web server versions do have the ability to recognize and honor this setting. Whether they’ll actually honor that is up to the administrator of the website.

Potential Information Leak

One of the dangers with cookies and using publicly accessible computers is that cookies associated to you can be written to caches on publicly accessible computers. This can result in a significant loss/breach of privacy… For this reason it is always recommended to only use publicly accessible computers for casual browsing and not for any transactions where any security or secrecy is desired.

A Final Question

It seems to be a continual cat and mouse game between users and advertisers in the contest of maintaining some semblance of privacy while using the Internet, so what do you think? Has the emergence of a Do Not Track button on browsers made you any more comfortable or complacent in browsing the web? Is it something you even think about?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

3 Comments.


  1. It’s amazing how many people don’t disable the third party cookie options! For some, ignorance is bliss…

       0 likes

  2. Hey Lou, I enjoyed the post. To answer your question, I do think that Do Not Track is helpful as a single, easy way to increase privacy, but of course it’s only functional on those sites that honor the practice.

    I’m curious about cookie security from another angle. What sorts of defenses exist against cross-site scripting attacks that attempt to steal cookies? Is this a question of encrypting cookie contents or obfuscating contents? Is there even any recourse if cookies want to remain functional?

       0 likes

    • Thanks Nick, using the secure flag with a cookie is the best way, you could also use the http flag which eliminates the transmission of the cookie for non http requests.

         0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home