Computer Science,  Interview Questions,  Software Development,  Technology,  Tips,  Web Development

Basics of Internet Cookies

What are cookies?

Cookies are small text files placed on a user’s computer (or smartphone), which are commonly used to collect personal data. Most website operators place cookies on the browser or hard drive of their user’s’ computer. Cookies can gather information about the use of a website or enable the website to recognize the user as an existing customer when they return to the website at a later date. This file is neither a virus nor spyware. The law protects website users and lets them opt-out from the use of cookies on their website browser.

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers statefull information for the stateless HTTP protocol.

What are the benefits of cookies?

Cookies are used to make the user’s web experience faster, convenient and personalized. For example you can select a language to view a website the first time you visit it. When you visit the website again it will save your preference.

Cookies are mainly used for three purposes:

  • Session management – Logins, shopping carts, game scores, or anything else the server should remember
  • Personalization – User preferences, themes, and other settings
  • Tracking – Recording and analyzing user behavior

Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is recommended nowadays to prefer modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web storage API (localStorage and sessionStorage) and IndexedDB.

Types of cookies

Session cookies

Session cookies, also known as ‘temporary cookies’, help websites recognize users and the information provided when they navigate through a website. Session cookies only retain information about a user’s activities for as long as they are on the website. Once the web browser is closed, the cookies are deleted. These are commonly used on shopping websites or e-commerce websites.

Permanent cookies

Permanent cookies, also known as ‘persistent cookies’, remain in operation even after the web browser has closed. For example they can remember login details and passwords so web users don’t need to re-enter them every time they use a site. The law states that permanent cookies must be deleted after 12 months.

Third-party cookies

Third-party cookies are installed by third-parties with the aim of collecting certain information from web users to carry out research into, for example, behavior, demographics or spending habits. They are commonly used by advertisers who want to ensure that products and services are marketed towards the right target audience.

Flash cookies

Flash cookies, also known as ‘super cookies’, are independent from the web browser. They are designed to be permanently stored on a user’s computer. These types of cookies remain on a user’s device even after all cookies have been deleted from their web browser.

Zombie cookies

Zombie cookies are a type of flash cookie that are automatically re-created after a user has deleted them. This means they are difficult to detect or manage. They are often used in online games to prevent users from cheating, but have also been used to install malicious software onto a user’s device.

Secure and HttpOnly cookies

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Even with Secure, sensitive information should never be stored in cookies, as they are inherently insecure and this flag can’t offer real protection. Starting with Chrome 52 and Firefox 52, insecure sites (http:) can’t set cookies with the Secure directive.

To help mitigate cross-site scripting (XSS) attacks, HttpOnly cookies are inaccessible to JavaScript’s Document.cookie API; they are only sent to the server. For example, cookies that persist server-side sessions don’t need to be available to JavaScript, and the HttpOnly flag should be set.

Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

Same-site cookies

Same-site cookies let servers require that a cookie shouldn’t be sent with cross-site (where Site is defined by the registrable domain) requests, which provides some protection against cross-site request forgery attacks (CSRF).

Same-site cookies are relatively new and supported by all major browsers.

Here is an example:

Set-Cookie: key=value; SameSite=Strict

  • None – The browser will send cookies with both cross-site requests and same-site requests.
  • Strict – The browser will only send cookies for same-site requests (requests originating from the site that set the cookie). If the request originated from a different URL than the URL of the current location, none of the cookies tagged with the Strict attribute will be included.
  • Lax – Same-site cookies are withheld on cross-site sub requests, such as calls to load images or frames, but will be sent when a user navigates to the URL from an external site; for example, by following a link.

Scope of cookies

The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to.

Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding sub domains. If Domain is specified, then sub domains are always included.

For example, if Domain=mozilla.org is set, then cookies are included on sub domains like developer.mozilla.org.

Path indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F (“/”) character is considered a directory separator, and sub directories will match as well.

For example, if Path=/docs is set, these paths will match:

  • /docs
  • /docs/Web/
  • /docs/Web/HTTP

Law on cookies

The basic rule around cookies is that websites must:

  • Tell people the cookies are there and what cookies are being used
  • Explain what the cookies are doing and why; and
  • Get the user’s consent to store a cookie on their device.

What counts as consent?

Consent must be freely given, specific and informed. It must involve some form of unambiguous positive action, for example by ticking a box or clicking a link. The user must fully understand that they are giving consent.

Therefore consent cannot be given if the information is only provided as part of a privacy policy that is hard to find, difficult to understand, or rarely read.

Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. Users must fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies.

Can cookies be erased or blocked?

Most cookies can be erased or blocked. To erase cookies you will need to find the folder or file where they are stored on your device and delete them. Session cookies will automatically be deleted when you close your web browser.

You can also block a website’s cookies. You can do this by configuring your browser settings.

You can also use specialist software that protects against malicious cookies. These applications can be customized to let you change the content of the cookies you want to receive or will allow to be stored on your device.

Enforcement and penalties

The Information Commissioner’s Office (ICO) are responsible for ensuring organisations comply with the law on cookies. They take a practical and proportionate approach to enforcing the rules on cookies. Where a business fails or refuses to comply with the rules, the ICO can take specific action as described below.

Information notices

The ICO can submit information notices which requires organisations to provide the ICO with specific information within a certain time period.

Undertakings

Undertakings force organisations to take a particular course of action in order to improve its compliance.

Enforcement notices

Enforcement notices compel an organisation to take action specified in the notice. For example, a notice may be served to compel an organisation to start gaining consent for cookies. Failure to comply with an enforcement notice can be a criminal offence.

Monetary penalty notice

A monetary penalty notice requires an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. This power can be used if any person has seriously contravened the law and if the breach is likely to cause substantial damage or distress.

References

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies