|
===Origin of the name===
The term "''cookie"'' was coined by web-browser programmer [[Lou Montulli]]. It was derived from the term "''[[magic cookie]]"'', which is a packet of data a program receives and sends back unchanged, used by [[Unix]] programmers.<ref name="wdi6I">{{cite web|url=http://dominopower.com/article/where-cookie-comes-from/|title=Where cookie comes from :: DominoPower|website=dominopower.com|access-date=19 October 2017|archive-url=https://web.archive.org/web/20171019174750/http://dominopower.com/article/where-cookie-comes-from/|archive-date=19 October 2017|url-status=live}}</ref><ref name="xVtjM">{{cite web|editor-last1=Raymond|editor-first1=Eric |title=magic cookie|url=http://catb.org/jargon/html/M/magic-cookie.html|website=The Jargon File (version 4.4.7)|access-date=8 September 2017|archive-url=https://web.archive.org/web/20170906230653/http://www.catb.org/jargon/html/M/magic-cookie.html|archive-date=6 September 2017|url-status=live}}</ref> The term magic cookie itself derives from the [[fortune cookie]], which is a cookie with an embedded message.<ref>{{cite web|url=https://www.inlife.co.uk/why-are-cookies-called-cookies/|title=Why are internet cookies called cookies?}}</ref>
===History===
====Other uses====
The term "''supercookie"'' is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such "''supercookie"'' mechanisms were found on Microsoft websites in August 2011: cookie syncing that respawned MUID (machine unique identifier) cookies, and [[HTTP ETag|ETag]] cookies.<ref name="Ivyb7">{{cite web |last=Mayer |first=Jonathan |date=19 August 2011 |title=Tracking the Trackers: Microsoft Advertising |url=http://cyberlaw.stanford.edu/node/6715 |publisher=The Center for Internet and Society |access-date=28 September 2011 |archive-url=https://web.archive.org/web/20110926122412/http://cyberlaw.stanford.edu/node/6715 |archive-date=26 September 2011 |url-status=live}}</ref> Due to media attention, Microsoft later disabled this code.<ref name="8LKGy">{{cite web |last=Vijayan |first=Jaikumar |title=Microsoft disables 'supercookies' used on MSN.com visitors |url=http://www.computerworld.com/article/2510494/data-privacy/microsoft-disables--supercookies--used-on-msn-com-visitors.html |access-date=23 November 2014 |archive-url=https://web.archive.org/web/20141127185609/http://www.computerworld.com/article/2510494/data-privacy/microsoft-disables--supercookies--used-on-msn-com-visitors.html |archive-date=27 November 2014 |url-status=live}}</ref> In a 2021 blog post, Mozilla used the term "''supercookie"'' to refer to [[#Browser cache|the use of browser cache]] as a means of tracking users across sites.<ref name="PyGKV">{{cite web |date=26 January 2021 |url=https://blog.mozilla.org/security/2021/01/26/supercookie-protections/ |title=Firefox 85 Cracks Down on Supercookies |first1=Steven|last1=Englehardt|first2=Arthur|last2=Edelstein}}</ref>
===Zombie cookie===
==Uses==
===Session management===
Cookies were originally introduced to provide a way for users to record items they want to purchase as they navigate throughout a website (a virtual "''shopping cart"'' or "''shopping basket"'').<ref name="kesan" /><ref name="kristol" /> Today, however, the contents of a user's shopping cart are usually stored in a database on the server, rather than in a cookie on the client. To keep track of which user is assigned to which shopping cart, the server sends a cookie to the client that contains a [[unique identifier|unique session identifier]] (typically, a long string of random letters and numbers). Because cookies are sent to the server with every request the client makes, that session identifier will be sent back to the server every time the user visits a new page on the website, which lets the server know which shopping cart to display to the user.
Another popular use of cookies is for logging into websites. When the user visits a website's login page, the web server typically sends the client a cookie containing a unique session identifier. When the user successfully logs in, the server remembers that that particular session identifier has been authenticated and grants the user access to its services.
</syntaxhighlight>
The server's HTTP response contains the contents of the website's homepage. But it also instructs the browser to set two cookies. The first, "''theme"'', is considered to be a ''session cookie'' since it does not have an <code>Expires</code> or <code>Max-Age</code> attribute. Session cookies are intended to be deleted by the browser when the browser closes. The second, "''sessionToken"'', is considered to be a ''persistent cookie'' since it contains an <code>Expires</code> attribute, which instructs the browser to delete the cookie at a specific date and time.
Next, the browser sends another request to visit the <code>spec.html</code> page on the website. This request contains a <code>Cookie</code> header field, which contains the two cookies that the server instructed the browser to set:
The value of a cookie may consist of any printable [[ASCII]] character (<code>!</code> through <code>~</code>, [[Unicode]] <code>\u0021</code> through <code>\u007E</code>) excluding {{codes|,|;|d=and}} and [[whitespace character]]s. The name of a cookie excludes the same characters, as well as <code>=</code>, since that is the delimiter between the name and value. The cookie standard RFC 2965 is more restrictive but not implemented by browsers.
The term "''cookie crumb"'' is sometimes used to refer to a cookie's name–value pair.<ref name="CrumbExample">{{cite web |url=http://msdn2.microsoft.com/en-us/library/ms533693.aspx |title=Cookie Property |work=MSDN |publisher=Microsoft |access-date=2009-01-04 |archive-url=https://web.archive.org/web/20080405180445/http://msdn2.microsoft.com/en-us/library/ms533693.aspx |archive-date=2008-04-05 |url-status=live}}</ref>
Cookies can also be set by scripting languages such as [[JavaScript]] that run within the browser. In JavaScript, the object <code>document.cookie</code> is used for this purpose. For example, the instruction <code>document.cookie = "temperature=20"</code> creates a cookie of name "''temperature"'' and value "''20"''.<ref name="Q2GAk">{{cite news |first=Ross |last=Shannon |url=http://www.yourhtmlsource.com/javascript/cookies.html |title=Cookies, Set and retrieve information about your readers |publisher=HTMLSource |date=2007-02-26 |access-date=2009-01-04 |archive-url=https://web.archive.org/web/20110824225515/http://www.yourhtmlsource.com/javascript/cookies.html |archive-date=2011-08-24 |url-status=live}}</ref>
===Cookie attributes===
</syntaxhighlight>
The first cookie, <code>lu</code>, is set to expire sometime on 15 January 2013. It will be used by the client browser until that time. The second cookie, <code>made_write_conn</code>, does not have an expiration date, making it a session cookie. It will be deleted after the user closes their browser. The third cookie, <code>reg_fb_gate</code>, has its value changed to "''deleted"'', with an expiration time in the past. The browser will delete this cookie right away because its expiration time is in the past. Note that cookie will only be deleted if the ___domain and path attributes in the <code>Set-Cookie</code> field match the values used when the cookie was created.
{{As of|2016}} Internet Explorer did not support <code>Max-Age</code>.<ref name="nyQ00">{{Cite web|url=https://inikulin.github.io/cookie-compat/#MOZILLA0001|title=Cookies specification compatibility in modern browsers|date=2016|website=inikulin.github.io|access-date=2016-09-30|archive-url=https://web.archive.org/web/20161002124029/http://inikulin.github.io/cookie-compat/#MOZILLA0001|archive-date=2016-10-02|url-status=live}}</ref><ref name="wASD0">{{cite web|url=http://mrcoles.com/blog/cookies-max-age-vs-expires/|title=HTTP Cookies: What's the difference between Max-age and Expires? – Peter Coles|first=Peter|last=Coles|website=Mrcoles.com|access-date=28 July 2016|archive-url=https://web.archive.org/web/20160729011727/http://mrcoles.com/blog/cookies-max-age-vs-expires/|archive-date=29 July 2016|url-status=live}}</ref>
This approach presents two advantages from the point of view of the tracker. First, having the tracking information placed in the HTTP request body rather than in the URL means it will not be noticed by the average user. Second, the session information is not copied when the user copies the URL (to bookmark the page or send it via email, for example).
===="window.name" DOM property====
All current web browsers can store a fairly large amount of data (2–32 MB) via JavaScript using the [[Document Object Model|DOM]] property <code>window.name</code>. This data can be used instead of session cookies. The technique can be coupled with [[JSON]]/JavaScript objects to store complex sets of session variables on the client side.
| 