Cookies & Privacy
Good Cookie or Bad Cookie?
By Ravi Pai Panandiker
November 21, 2002
IST 497E/Giles
 Introduction
 What is a Cookie? Basic Facts
 Cookies & Paranoia
 Getting Creative with Cookies
 Scope of Cookies
 Cookie Fixes
 Cookie Taxonomy
 Anatomy of a Cookie
 Working with Cookies: Code & Demo
 Cookie based Marketing
 Cookies, Privacy & Legislation
 Conclusion
What is a Cookie?
 Short pieces of text generated during
web activity and stored in the user’s
machine for future reference
 Instructions for reading and writing
cookies are coded by website authors
and executed by user browsers
 Developed for user convenience to
allow customization of sites without
need for repeating preferences
Cookie Facts
 Most Cookies store just 1 data value
 A Cookie may not exceed 4 Kb in size
 Browsers are preprogrammed to allow a
total of 300 Cookies, after which
automatic deletion based on expiry date
and usage
 Cookies have 3 key attributes: name,
value and expiry date
Cookies & Paranoia
 Why are Cookies notorious?
 Most Cookie activity is transparent to the user
 Most people do not understand what Cookies
can and cannot do
 People do not know how to protect
themselves from Cookies
 Valid reason: There are organizations out
there using Cookies to track your activities
(More later)
Darwinian Evolution: Getting
Creative with Cookies
 Basic cookie mechanism: Place a piece of
information, retrieve it for customization on
subsequent visits
 Functions available: read, write, delete
 Creative application1: Initialize a cookie
called counter to 1. Every time user visits,
retrieve counter, increment by 1 and re-write.
 Creative application2: When a user visits,
write system date/time in a cookie. Next visit
get cookie for last visit. Overwrite with current
Cookie Scope: Cannot Do
 Have automatic access to personal
information like name, address, email
 Read or write data to hard disk
 Read or write information in cookies
placed by other sites
 Run programs on your computer
Cookie Scope: Can Do
 Store and manipulate any information
you explicitly provide to a site
 Track your interaction with parent site
such as pages visited, time of visits,
number of visits
 Use any information available to web
server including: IP address, Operating
System, Browser Type
Cookie Fixes: Getting in Control
 Turn up security level on your browser to
disable cookies or prompt for cookie
 Delete the content of a cookie and then write
protect it
 Use JavaScript command to display cookies
by current site/path:
 Use 3rd party software: Cookie Pal,
CookieMaster, CookieCrusher to monitor,
browse and edit cookies.
Cookie Types and Taxonomy
 By Lifespan
- Session Cookies (RAM)
- Persistent Cookies (Disk)
 By Read-Write Mechanism
- Server-Side Cookies (HTTP Header)
- Client-Side Cookies (JavaScript)
 By Structure
- Simple Cookies
- Array Cookies
Anatomy of a (Simple) Cookie
String of text with these 6 attributes:
 The domain and path for which the
cookie is valid
 The name of the cookie
 The value of the cookie
 The expiration date of the cookie
 Whether a secure connection needed
to use the cookie
Working with Cookies
 The domain and path are automatically
handled by the browser, script author has no
 For a given domain and path, a script may
create any number of cookies by specifying a
name, value and expiry date
 Each (simple) cookie is stored in a separate
text file in Temporary Internet Folder, but
tagged to a specific domain
 Cookies are handled by the browser as an
Object called document.cookie and
read/written using object dot notation
Cookie Code
 Cookies may be read/written by
server-side or client-side code
 Server-side Cookies are executed by
the web server and instructions included
in HTTP header for the page
 Server-side Cookie languages:
Perl/CGI, ASP/VBScript
 Client-side scripts: JavaScript
embedded in page HTML
A Typical Cookie Algorithm
On page load
Read Cookie
Write new Cookie.
Prompt for info if
Use Cookie info to
customize/login etc
Update Cookie
Continue loading
© Ravi Pai Panandiker
Cookie Code: JavaScript
 JavaScript code uses 3 standard functions
that are defined in the HTML <head> tag:
setCookie(cookieName, value, expDate)
 All Cookie manipulation is performed using
these 3 functions and regular algorithmic
 All functions are automatically performed on
the cookie object of that domain/path
Cookie Demo: JavaScript
Cookie Based Marketing
 What is it?
User customized online advertising and
marketing system that uses Cookies
and databases to create, maintain and
utilize consumer profiles and monitor
their activity
Cookie based Marketing
 How does it work?
 Companies like, and have
developed an innovative system (using
standard technologies) for this purpose.
 They tie up with popular websites like
Yahoo, Amazon to create an extensive
data and information sharing network
Cookie based Marketing
 How it works contd.
 Code developed by the company is
placed on these web sites.
 When you hit another such site, it sends
data placed in your cookies to
DoubleClick and retrieves marketing
information about you enabling them to
customize ads etc
 Result: One person may see ads for
sports goods and another for baby
Cookie based Marketing - Schema
Web Server
Ad Server
SEND - User ad server id
- IP address
GET - Consumer profile and/or
- Targeted banner ad
- Regular page content
- Targeted advertising
- Cookie based info
- User ad server id
- IP address
User Computer
© Ravi Pai Panandiker
Cookie Viruses?
 On most platforms, Cookies are stored as text
only files. To cause damage the Cookie must
be an executable
 On Windows, text files are non-executable
and would open in a text editor if double
 In general, there are easier loopholes for a
hacker in ActiveX controls, Outlook Express
 The threat from Cookies is not from what they
can do to your computer but what information
they may store and pass on
Cookies, Privacy and Legislation
 Concern about misuse from Government
agencies and non-profit organizations like
Internet Engineering Task Force (IETF),
Electronic Privacy Information Center (EPIC)
 Study by govt.’s Computer Incident Advisory
Committee (CIAC) in 1998
 Bulletin concluded that there was more hype
than hazard from Cookies.
 Agreed that tracking people’s browsing habits
makes many users uncomfortable
Cookies, Privacy & Legislation
 New proposal put forward by IETF together
with Netscape and Microsoft to modify the
Cookie standard.
Proposal is being backed by leading nonprofit organizations
Proposal will limit persistence and make
Cookie activity more transparent.
Key aspect of proposal is to disallow 3rd party
server access to cookies.
Would destroy Cookie based marketing.
 Cookies were originally created as harmless
pieces of text for user convenience
 Along the way, some evil geniuses found a
way to exploit them for business
 Most studies conclude are not harmful to
user: Would you rather see an ad for a
product that’s relevant or one you’d never
 The paranoia arises from the invisible nature
of cookie transactions and inadequate
information about their ability.
Questions or Comments?