Cookies and Security

The 'bad' things that sites can do with cookies get quite a bit of publicity. Cookies from advertising sites can be used to track all the sites that you visit that display their ads and so give the advertiser information about where you go on the web, particularly if they have their ads displayed on lots of different sites.

There are far more harmful things on the internet than cookies though as trackingyour visits is about the limit of what cookies can be used for that is bad. After all cookies are just small text files stored on your computer that the web browser allows a specific web site to read. Cookies don't contain any code that can actually be run to do anything at all to your computer and they cannot be read by anything on the web apart from the web site that wrote them. Unless a web site stores confidential information in the cookie itself (instead of storing it on the server and just storing the key to be able to find it in the cookie) the cookie content isn't even all that usefult to a rogue program running on your computer that is trying to capture information to send back to its owner - such a program would capture far more information by recording everything you type than it would by reading your cookies.

The useful things that cookies can do get nowhere near as much publicity as the bad things. Perhaps part of the reason for this is that many people don't even realise that a cookie is involved in those tasks.

Basically all a cookie does is to allow a particular person to be tracked from one web page to anohter. Without cookies there is no way to tell when one web page loads that it is the same person loading that page as previously loaded another page. Well there is actually one other way and that is to pass identifying information in the querystring but that method of passing the information makes it more vulnerable as the information is in the web address itself rather than hidden away in the page headers the way it would be if you used a cookie. Cookies are the most secure way of passing information between web pages.

Now holding all of the information in the cookie is (as already mentioned) not the best way to work things. What should be stored in a cookie is a string of characters that acts as an identifier for the person so that they can be identified as they visit different pages. The actual information about them is best stored on the server and looked up there by each page. This process is so useful that many server side languages implement a way to do this within the language itself. These are called sessions and all of the session data is stored on the server with a session id as the key that allows the information to be accessed. It is the session id that gets stored in a cookie.

Now there are in fact three different types of cookie. One type of cookie (known as a session cookie) doesn't even create any files on your computer, it just stores the cookie information in the browser itself which means that the cookie is automatically deleted when you close the browser. A session on the server will as its first choice use a session cookie and store the session id in the browser itself to pass your identity from page to page. Any site where you need to interact with more than one page with it knowing that you have moved between pages will do this. An example of this would be any site that requires that you be logged in to be allowed to access information on the page.

The second type of cookie is called a first party cookie and it writes cookie data to a file in order that your subsequent visits to the site will be able to read the cookie and identify you as the same person who previously visited. If a site offers to remember your password for you then it will need to create a first party cookie to be able to identify you on your next visit so as to know what password to use. Sites that highlight anything that has changed since your last visit would also use one of these cookies so as to be able to keep track of when you last visited so as to be able to highlight appropriately.

Both of these two types of cookie provide useful functions that would either not be able to be done without cookies or which are far more secure when cookies are used than when any alternative is used.

The third type of cookies are called third party cookies. These work exactly the same way as first party cookies. The only difference is that instead of being set by the web page itself and so belonging to the site whose address you see in the browser bar, these are set by other sites and are only accessible to those sites. The only reason that a third party cookie can be referenced by a web page is because that web page loads content from some other site.If a web page makes no references whatever to anything that needs to be loaded from another site then no third party cookie can be used because there is no other site where anything can get run that would have access to read or write a third party cookie.

The most common off site references where third party cookies can be set are advertising services. When a web page calls for files from an ad service those files not only deliver the ads that are displayed in the web page, they can also set their own cookies that will then be accessible from anywhere that calls the same ad service.

Now at this point we have looked at good uses for session and first party cookies and a possibly bad use for third party cookies. For the most part this is the situation regarding cookies and so many people configure their browser to accept session and first party cookies and to block third party cookies. While an individual web site could use a first party cookie for less ethical purposes most only use them where there is a genuine reason to do so and if you did find a site that misuses first party cookies it is easily identifiable from the address bar.

The only problem with disabling all third party cookies is that there are some situations where they are actually useful. One such example is if you want to be able to use openid to be able to use a common login across multiple web sites. The site where you want to log in need to be able to read the third party cookie associated with the site where your open id is stored in order for the open id to work.

Cookies are completely under your control through your web browser settings. If your browser doesn't allow you to override cookie settings the way you want for a specific site then you just need to upgrade to one that does allow it.

Blocking all cookies will make it very difficult for you to use the web. Allowing all cookies may allow you to be tracked. There are two simple steps you can take that will go a long way toward resolving this without your having to go too deep into figuring out which cookies to allow and which to block (since in most cases you may not know the answer). The first is to make use of the privacy option that all modern browsers now have. One of the things that option does is to disable all cookies while you are using that to visit web pages. The whole point of privacy is that you not be able to be tracked from one page to another regardless of who it is that is trying to do the tracking. Obviously you can't do this for sites where you do need to be identified between web pages. The second thing to do is to run a decent anti-spyware program. One of the types of thing these programs look for is tracking cookies associated with advertising. The program can find and delete these cookies for you and may even have an option that allows you to block the particular cookie from being able to be saved again.

Taking these actions will minimise the number of cookies that you have which are potentially capturing information that you don't want sites to have. Cookies are always controlled from your computer so if you don't want a site to be able to use cookies you can block that site. Web sites have no say whatever in whether you allow cookies on their site or not. The most they can do is to tell you what they want to use cookies for so that you can make a more informed decision as to whether to allow them or not.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow