Back to Basics: Internet Cookies

Paladion
By Paladion

March 30, 2007

Continuing with our Back to Basics series, we'll discuss about internet cookies. Cookies are generally used by web sites to track users' personal preferences so that personalized content can be served to the user. In the first part, we had covered Caching.

 Internet Cookies

Continuing with our Back to Basics series, we'll discuss about internet cookies. Cookies are generally used by web sites to track users' personal preferences so that personalized content can be served to the user. In the first part, we had covered Caching.

What is a cookie?

Cookies are name-value (e.g. country=India) pairs generated by
web-server and stored on the client. Once the cookie is stored on the
client, the client browser automatically submits this name-value pair
every time the user goes to the same site.

Why do website use cookies ?

Cookies are generally used for tracking personal preferences
of the user. These preferences can be used by the web server to serve
personalized content to the user. E-commerce applications,like Internet
Banking, use cookies for exchanging session-ID information between
user's browser and e-commerce server.

Are cookies mandatory or optional?

Usage of cookie is optional. Website developer can choose to
have cookies or not.

Who creates the cookies - the client or web server ?

Web servers creates the cookies and sends it to client browser.

How are cookies transmitted between servers and clients ?

Cookies are generated by web server and sent to the client as
part of the HTTP response header.In the example below google is setting
a cookie which has multiple name value pairs.

After clearing my existing cookies , I give a HTTP request for
www.google.co.in. Attached herewith is the HTTP-Request and Response.
The Set-cookie header in the response is where the google server is
setting a new cookie.

HTTP Request

GET / HTTP/1.0
Host: www.google.co.in

HTTP Response

HTTP/1.0 200 OK
Content-Type: text/html;
Set-Cookie:PREF=a5353f33dadae6b4:TM=1172488580:LM=1172488580
:S=-tN_hXmrGjyfGFq4;expires=Sun, 17-Jan-2038 19:14:07 GMT;
path=/; domain=.google.com

 Are all cookies stored on client hard disk?

There are two types of cookies - persistent and
non-persistent. Only persistent cookies are stored. For example the
google cookie as shown in earlier example is a persistent cookie and my
browser [ MS Internet Explorer] has stored this as text file in the
C:Documents and Settings<username>cookies folder. The file name is
<username>@google.com. Mozilla Firefox does not have separate files for
different cookies. All cookies for a particular user are stored in one
file "cookies.txt"at C:Documents and Settings<username>Application
DataMozillaFirefoxProfiles<username>.profile

Non-persistent cookies are stored in RAM and they get removed
when the browser window instance is closed.

What does the other attributes that are set in "Set-Cookie"
mean ?

Only Name=value is mandatory. All the other attributes
discussed here are optional.

Expires - specifies that this is a persistent cookie and will
be stored on the
hard disk till 17-Jan-2038.If there is no no Expires- setting in the
Set-Cookie header, then it means this is a non-persistent cookie.

Path = / specifies that this cookie will be sent if the user
visits any page or subdirectory under google.co.in . This is also called "Tail
Matching". For example if I browsing http://google.com/news or
http://google.com/sports/baseball , this persistent cookie will be
sent.

Domain =True.You cannot see this in the Set-Cookie HTTP
Response
header. This is enabled by the browser depending on the value set in
domain. If there is a leading DOT, then it is set to TRUE if not set to
False.TRUE means this cookie will be sent if the user visits any
sub domain google.co.in . For example if I browsing
http://images.google.com/ or http://local.google.com/, this
persistent cookie will be sent.

Can a web server set unlimited number of cookies on the client?

There are limitations on the number of cookies that a client
can store at any one time.Client can store a maximum of 300 cookies, 4
kilobytes per cookie and 20 cookies per server or domain.

Servers should not expect clients to be able to exceed these
limits. When the 300 cookie limit or the 20 cookie per server limit is
exceeded, clients should delete the least recently used cookie.

How is cookie stored at the desktop?

Cookie are stored as text files. There are persistent cookies
and non-persistent cookies. Persistent cookies are stored in the hard disk
of the user while non-persistent are stored in the memory. They vanish
when the browser windows is closed.

MS Internet Explorer stores it in C:Documents and
Settings<username>cookies
folder. Each persistent cookie is a separate file.

Mozilla Firefox stores all persistent cookies in a single file
in C:Documents and Settings<username>Application
DataMozillaFirefoxProfiles<username>.default

Do cookies also get stored in caches?

Cookies can be cached by the intermediate caches including
Proxy server. The web server should set the appropriate cache-control
parameters to decide the caching. To enable caching of page but not the
cookie the web server can use this setting: Cache-control:
no-cache="set-cookie"

Is the cookie lifetime determined by the clients browser or
website developer?

The cookie lifetime(for persistent cookies) is determined by
the web server at the time of setting the cookie. In the previous example
google sets a cookie on my desktop which will be present on my harddisk
till 17-Jan-2038.

Set-Cookie:PREF=a5353f33dadae6b4:TM=1172488580:LM=1172488580:S=-tN_hXmrGjyfGFq4;expires=Sun, 17-Jan-2038 19:14:07 GMT

Can I open a sample cookie stored in my desktop?

Cookies are simple text files. You can open them using any
text editor.notepad or textpad.

Can a citibank.com page [ or a script running within that]
read the bankofamerica.com cookie ?

The web server does not have any control over retrieving the
cookies. The browser automatically retreives all cookies which have been set by the
particular server. Whenever I visit www.google.com all the cookies that
have been set by www.google.com are resubmitted along with the HTTP
request. These cookies will NOT be sent to any other server other than
www.google.com

HTTP Request

GET /search?hl=en&q=CRICKET HTTP/1.0
Host: www.google.co.in
Cookie: PREF=ID=a5353f33dadae6b4:TM=1172488580
:LM=1172488580:S=-tN_hXmrGjyfGFq4

Can I have cookies which can only be transmitted over SSL?

By setting the SecureFlag= True in the Set-Cookie header the
web server can restrict the transmission of cookies only over a SSL connection.
This is very relevant for cookies used by Ecommerce applications like
Internet banking where cookies store sensitive information like
session-id.

Is there any RFC related to cookies?

http://www.ietf.org/rfc/rfc2965.txt


Tags: Technical

About

Paladion