Tag Archives: cookies

Web 101: When Cookies Go Bad

We learned in the last post that cookies can make the web more useful and more fun. But cookies can have a darker side, too. Here we’ll learn about the seedier uses of cookies and what you can do about them.

If you already have a cookie from a website and you revisit that website, your browser only sends the information for that website’s cookie. So if you’re at Amazon, your browser only sends the Amazon cookie information and not the Ebay cookie information. There are a couple of exceptions to that rule, and this is where cookies cause problems for most people.

Lots of web sites contain advertisements. This isn’t normally a bad thing — the ads pay for the costs associated with the web site and make it possible for lots of free content to be out there for you. However, those ads are served up by a different domain than the site you’re on. If you’re visiting example.com, the ads might come from advexample.com and spamsalot.com. Both of those advertising domains can then put what are called “third-party cookies” into your browser. Later on, when you go to anotherexample.com, which also has an ad from advexample.com, that advertiser not only knows it’s you, but knows you recently visited example.com. These advertising cookies can track you across the web, and are the reason why after visiting a site selling shoes you suddenly start seeing lots of ads for shoes on other sites.

Some people really like having more targeted ads — if you have to see ads anyway, they may as well be for something you’re interested in. Other people find this tracking to be a bit creepy. If you’re in the latter group, there’s an easy fix. All the major browsers let you block any third-party cookies. (You can also use these same instructions to block all cookies.)

You probably already have a lot of tracking cookies stored in your browser. If you want to get rid of those, too, there are a couple of ways to do it. You can either go through your existing cookies one by one, or you can delete all your existing cookies. Deleting all your cookies is a lot faster than trying to figure out which ones you want and which ones you don’t, but it does mean you will need to sign in to any web sites again.

Deleting tracking cookies doesn’t stop all forms of tracking, but currently this is the most common form used. And now you have some control over the process.

Web 101: Cookies Make the Web Better

As we learned in the last post, web sites use cookies to remember who you are. Why do you want web sites to do this?

Let’s say you want to do some online shopping. You go to a web site, look at a few items, and put one into your shopping cart. If the web site couldn’t tell who you are from page to page, as soon as you click on “check out” your shopping cart would disappear. You would never be able to make a purchase, because there would be no way* to make the web site know that the person who asked for the shopping cart page is the same person who added the item to the cart.

Perhaps you are buying anything today, but you are logging in to Facebook instead. Cookies are how Facebook matches you up to the person who logged in. This lets Facebook show you your updates, and only your updates.

Cookies can also be used to make your web browsing a little faster. Some web sites will show you a different version depending on your country. Small and medium-sized websites look up your IP address’ country from a public online database, and this is a relatively slow process. (Plus, they have to pay if there are too many look ups in a day.) If the web site sets a cookie after the first look up, it can keep track of your country and show you the right version without doing any more look ups.

Cookies are also frequently used when you fill out a form on the web or request information that’s in a database. One way to do this is with a query string — if you see a ? in the URL, a query string has been used. One problem with query strings is not much information can be sent. A bigger problem is that users can guess at other query strings because they see what’s being sent. If you fill out a form and see that the URL you go to is http://www.example.com/mypage?userid=1234, there’s nothing to stop you from changing that URL to http://www.example.com/mypage?userid=1235 and accessing that user’s information. This isn’t much of a problem if the request is for a product description or a blog post, but it can cause havoc in lots of other situations. Cookies solve that problem — by using what’s called a session cookie which is stored in your browser’s memory and goes away when you close your browser, more information can be sent and it can be hidden a little better from snoopers.

So much for the good side of cookies. Next up — when cookies go bad.

* Actually, there are ways such as using a query string, matching up IP addresses, or a few other techniques. Although cookies have security issues, most of these methods are far less secure than cookies, or cause other problems for the user.

Web 101: Are Cookies Yummy?


CC Cookie image courtesy of azmichelle on flickr

Just like real life cookies, a few cookies in your browser make life fun, but too many are a bad thing. Before we can get into what’s good, what’s bad, and what you can do to manage cookies, we need to learn a bit about what cookies are.

Let’s say you have just navigated to this page. When the web server send the text that will display this page on the screen (see Web 101: Text and the Web for more on this), the web server also sends what’s called a header for the file. The header has things like a line telling your browser that the server found the file, a line saying what kind of file is being sent, a line saying how long the file is, and a few other things your browser needs to know. If the web site wants to put a cookie on your computer, it also includes the cookie in this header. For example, the header might include the line:

Set-cookie: 1127

Your browser keeps a file of cookies that it has saved, and when it sees this in the header, it adds a line of the cookie file that has the name of the website and the id number (1127 in this case) of the cookie. There will also be some other information, like when the cookie was first set, when it should expire, and the type of cookie.

The next time you visit that website (even if it’s just clicking on another page in the website), your browser will add a line to the request for the webpage. That line will be

Cookie: 1127

The web server will then look up cookie 1127 in its database, and know that you are the same person it saw before. If you have logged in to the site in the past, it will be able to match up that cookie to your account.

Because cookies are stored by your web browser, if you visit the site again on a different computer or with a different browser (say you use Firefox instead of Chrome), the site won’t recognize you and you will get a new cookie.

In the next couple of posts we’ll learn when cookies are good for you and when they are troublesome.

(Thanks to Computer Networking: A Top-Down Approach for much of the information in this post.)