I've been browsing the Internet recently looking at how different websites have approached the GDPR regulations that came into force on 25th May 2018. I've also been thinking about cookies and the whole user consent thing etc. But then I started thinking, why on earth are cookies called cookies? So I got sidetracked and decided to do some research...
There are many explanations as to where browser cookies got its name. Some believe that the word cookie got its name from "magic cookies" which is a packet of data a program receives and sends back unchanged, used by Unix programmers. Others believe that Xerox made a computer system that saved some of the data about the user, who was logged in on the client side and that the data was saved in a small file called a "cookie". It was so-called named as such after a character from the popular (at that time) Andy Williams Show. This "Cookie Bear" character would follow Andy around asking for a cookie. And so in honour of Cookie Bear, the Xerox programmers decided to call the little file a cookie.
So that's where the name came from, let's have a look at what they actually are and how they work.
What are cookies?
A cookie, or more formally, a HTTP cookie, web cookie, Internet cookie or browser cookie, contrary to popular belief, are not computer programs. Instead, they are tiny text files that are stored on your computer and can be opened using any text editor such as Windows notepad or my personal favourite, Notepad++. They are designed to store a tiny amount of information specific to a client and and the website that the client visits.
This text file ultimately becomes a packet of data that is sent between a user's browser and the website's server.
So, when you visit a website, the website sends a cookie to your computer and your computer stores it in a file located inside your web browser.
So what are cookies used for?
Cookies are quite generic in that they can be used to track different things and some are more transient than others. So for example, session cookies are used to track a user whilst he/she is navigating a website but only lasts as long as the session, i.e. until the user leaves the site. Other cookies, track you between visits to a website, remember your preferences and are stored in your browser for longer. Authentication cookies track whether you are logged in or not and what your username is.
The only reason that cookies exist is that the underlying HTTP protocol is stateless. In other words, each request from your browser is completely separate from the next one, so the server needs a way to keep track of what request belongs to what visitor. So by storing a small bit of information in a cookie, the web site can determine that your page request belongs to your user account.
How do cookies work?
Cookies are actually very simple in how they work. Essentially, they are just name-value pairs. What I mean by that is that within the text files that are stored on your computer is the name of the cookie and a value. So, for example, the name could be userId and the value could be a random alphanumeric string such as a3545-a435f-3534f that represents a user. The first time that you visit a website, let's say it's Amazon.com, Amazon's server will assign you a unique user identifier value and stored it on your machine.
Let's have a look at how cookies flow between your browser and Amazon's servers in a simple example:
1. Let's say you type http://www.amazon.com into your browser. When you hit Enter, your browser sends a request to Amazon's server for it's homepage.
2. Just before the browser sends this request, it will look on your computer to see if there are any cookie files previously sent by Amazon's site. If it finds an Amazon cookie file, then the browser sends all the name-value pairs contained within the file to Amazon's server, along with the request for the Amazon homepage. If there aren't any Amazon cookie files, then no cookie data is sent.
3. When Amazon receives your request for its home page, it also receives any cookie data that was sent in the request. If the server receives cookie data, then Amazon knows you have previously visited its site. If no cookie data is received, then Amazon will create a new user identifier for you and store it in it's database somewhere. Amazon will then send this name-value pair back to your browser in the header for the web page that it sends. The browser, once it receives the name-value pairs, will store it as a text file on your hard disk.
It's important to note that a web server can send more than one name-value pair, modify the data in a name-value pair and add new pairs whenever you interact with the site and request web pages.
Are cookies dangerous?
Generally no. In themselves they are completely harmless. They can't contain malware or viruses, they can't access your hard drive and they can't take control over your computer. This is because they are nothing more than tiny text files.
However, there's a but and that is privacy. If a website, let's called it website A has adverts on it, like many websites do (including bonkersabouttech.com), then the third-party advertising company can store a cookie on the computer of the user that accessed website A. If a completely unrelated website, let's call it website B uses the same advert network, then when the user heads over website B, the advertising network will know that the user has visited website A and website B and so they have effectively tracked the user across two websites.
So, although nothing malicious has occurred, the advertising company can actually determine indirectly all the sites you have been to if they have cookies present on those sites.
Many think that cookies can steal personal information. This is a myth because unless you provide a website with your personal information in the first place, cookies cannot contain that personal information.
Some cookies are just simple session tokens, but sometimes they can contain your login credentials. If they do, they are usually encrypted or hashed in some format. But cookies can only get sent to the same site that created the cookie in the first place. So even if they did contain personal information, they are not going to be shared with every site that you visit.
That said, if the website you're visiting doesn't encrypt or hash the contents of it's cookies (which is very bad practice) and you're on a public computer, then the next person who logs onto that computer could potentially read the personal information contained in those cookies. So it's important to clear your cookies after you have finished using a public computer. You should also log out of any websites, which should also clear any cookies and/or session information, if the website has been implemented correctly.
Finally, I don't want to scare you, but whilst cookies aren't dangerous by themselves, they can actually be stolen. If the site that you are visiting contains a Security vulnerability known as Cross-Site Scripting (XSS), then arbitrary code (written and injected into the website by an attacker) could get executed within your browser, read your cookies and send them on to the attackers server. These cookies can then by an attacker to log in to your online accounts as if they were you, without the need for your password. To mitigate against this, I recommend turning on two-factor authentication for all your online accounts.
How do I manage my cookies?
There are a number of ways to manage your cookies, if you want to take control of them. You can access them directly in Windows and view the contents in your favourite text editor or you can delete them directly too.
Different browsers store them in different locations on disk. So IE stores them in a cookie folder (located in C:\WINDOWS\Cookies), Firefox stores them in a single file - either called "cookies.txt" or "cookies.sqlite" (located in C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles).
Chrome is a bit different in that it stores its cookies in an SQLite database. You can view the database file (located in C:\Users\<your_username>\AppData\Local\Google\Chrome\User Data\Default\) but it will need to be read by a third party program such as the SQLite Database Browser.
So that's where the major browsers store cookies, but most browsers provide the abiltity to manage cookies saved on your computer should you wish to accept or reject cookies for example. You can read more about how to this here.
Alternatively, you can use browser plugins to modify, add or delete cookies. My personal favorite is EditThisCookie which is available as a free Chrome extension.
So that's it. In summary, cookies are an essential part of the web and keeps websites functioning correctly. Cookies help website owners to find out how their website is being used so that it can be improved which contributes to the overall goal of improving the web.
Cookies can help deliver a tailored experience for each user but can also be used by advertising companies to track users (indirectly) across websites.
I hope this has helped answer some of the questions you may have had around cookies, in particular, why cookies are named cookies!