Cookies are a term used in browsing the internet but what are they really.
This article explains in as non-technical a way as possible what a cookie is, does and the pros and cons of them.
Cookies save so much effort but can be abused. Here’s what cookies do for you.
- Browsing basics
- Saving you time
- Sense checks
[read more=”Read more” less=”Read less”]
Browsing basics
Downloading everything
Think of writing a letter. You can’t read a letter unless you have it physically with you. The Internet works exactly the same. You downloaded a copy of a web page to your computer. Your “cache” stores these documents in a folder on your computer.
When the internet was very expensive and slow to use, if you went to the same page twice, instead of downloading a second copy, the cache was very useful.
Is this document cached? Yes, then show the first downloaded copy instantly. If not cached then download it to the cache.
So if you have a logo, a picture on every one of your pages does this benefit from the cache. Yes it does. Imagine 10 pages with the same picture of a logo, like letterhead paper. Your browsers loads the cache version of the image saving download each time.
Special programs
So the program which manages the cache amongst other jobs is called a browser. Your Internet browser is able to go onto the Internet and request documents and can then cache them.
Communication is a two way street.
- Can I have this document please?
- Yep, here it is.
- Can I have these images which I don’t have in my cache
- No problem here you go
You’re using a browser to view the article. Your browser asked for a copy of the article and you are reading the copy from your machine.
The most common makes of browser are free and are :
- Internet Explorer / Edge
- Mozilla Firefox
- Apple Safari
- Google Chrome
- Opera’s Opera
- Maxathon
Clearing the cache
Sometimes you will want the latest copy of a webpage as they can update and your browser will only use your copy.
Imagine the front of a newspaper. It will be the same page ever time but the content has changed. For this reason by pressing the F5 key on the keyboard you ask your browser to get the latest version of a page.
You can also clear your cache so that there are no old copies at all and your browser is forced to download everything afresh.
All in one go, or bit by bit
Some documents can be very long. Your browser has a choice.
Do you show information as it arrives or do you wait for the whole thing to completely and perfectly download before showing?
This is why you have feedback from your browser as page loads to show you how much has loaded and how much is still waiting to arrive. When the internet was very slow you even had the option of a “stop” button if it was taking too long. As can be seen in button 3 below.
Videos are amongst the biggest content available on the Internet.
Websites like YouTube would never work if you had to wait for the whole video to download to your computer.
This is where progressive downloading and streaming come into effect. These are the technical abilities to show content as soon as a bit has downloaded.
Saving you time
Usernames and passwords
One of the biggest benefits of the Internet is the ability to do work on websites but it needed privacy.
Let’s take your bank account.
You can view your statements online and in real time but you have to log in. Why?
Well you don’t want everyone reading your banking details or making transactions from your account.
So you log in. When you log in, you log in on the login page. Easy. Yet if everything on the Internet is download how can the second page you see, your balance, be different.
The reason is the following conversation happens in the background.
Page 1 conversation
- Can I have the login page please
- Your bank replies, no worries, here is the page with two boxes for you to fill in.
- You fill in the boxes and click “login”
- This sends the information back to the bank
Page 2 – Check your login details
- So the bank gets your login information
- It makes sure you have the right details.
- If details check out send the user to page 3
- Any mistake and send the user back to page 1.
Page 3 – Load your balance page
- Your browser goes, can I have the balance page please
- Who are you the bank asks?
The power of the cookie
As you can see from the example the bank doesn’t know who you are. If you jumped straight into page 3 then you wouldn’t need to log in.
So this challenge meant that Lou Montulli, a Netscape employee in 1994 invented “Magic Cookies” for ecommerce reasons.
His idea was that the browser could keep a “state”. The browser stores information like “you are logged in”. So he created in the browser a tiny text file. In this file you could put information and the browser when it sends the “request” bit of the conversation could include the cookie.
So our login conversation changed.
Page 2 – Check your login details and Set temporary cookie
When it checks the username and password and finds you valid creates a unique Id for you a temporary password which is only usable for a short time.
It is very long and not friendly to humans to make it more difficult to use. Most people have 10 or 12 characters in a password, this password would be 128 or 256 characters long as would the id.
So page 2, says, here is your temporary id and password, please keep this in your cache and the browser stores it.
Your cookie.
Page 3 – Load your balance page based on cookies in your request
Now when the conversation of page 3 starts, it also sends the cookie with the temp id and password.
The bank checks the request and uses the cookie to validate what details to put on the page.
Boom, the power of a cookie in full effect.
You don’t have to put your username and password in every time, your cookie in your browser sends temporary information instead.
Sense checks
Security of cookies
The challenge is when you visit a different website. Your browser sends EVERY cookie to the website.
So if you go to another website the mechanism means that any website can read all your cookies. For obvious reads this would generally be bad consequently requiring some security.
There is a group concerned with the security of the Internet.
The Open Web Application Security Project (OWASP), is an online community, producing freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
OWASP came together and asked browsers to make the internet more secure for everyone.
- Information stating “This cookie becomes useless on this date and time please browser delete it automatically” (Max-Age, expires)
- Securely enough this cookie is only for use with this website (domain)
- Next was that cookies had to be sent on encrypted connections using HTTPS instead of HTTP, so people couldn’t read them en route (secure)
- Coders with malicious intent try hijacking your browser. HttpOnly flag stops hijacked browsers absuing cookies. (HttpOnly). First seen in 2002.
So now a cookie has the following bits of information in it
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
Browser dependence
As users we are dependent on browsers using cookies properly. This functionality is not regulated. We have to trust our browser manufacturers.
Cookies were invented in 1994 and although widely used do have security flaws.
Cookies make secure websites work so we can’t get rid of them but minimal use of them is the safest practice.
Cookie abuses
Tracking cookies are just a cookie but explicitly designed to be shared by more than one website or service.
Marketers use tracking cookies for marketing and advertising purposes mainly.
Google doesn’t turn on security for all its cookies and for good reason. When you go from a search in google to someone’s website, some websites for advertising reasons want to know where you came from. For this reason cookies are handy for advertisers.
Google is moving away from public cookies and more towards GCLID (Google Click Identifier). Google does clarify what cookies it uses and generally why.
Not every website is as scrupulous as Google. Though GDPR regulation clarified that if you have a website that uses cookies you must tell users you have cookies and what you use them for.
Cleaning out cookies in your browser is your responsibility.
Testing suites
The security is great but the people who create cookies on your machine have to turn the security features on. Not every company does.
There is a suite of checks you can run against any website to see what cookies are and are not used. Checker available here.
Remember, less is better.
There are security suite packages such as Kali Linux which has numerous tools to check these kinds of security vulnerabilities.
Cookie Cadger Package allows you inspect them
Where Cookies Manager + also lets you play with them
[/read]