Wikipedia

HTTP cookie: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Malleus Fatuorum (talk | contribs)
145,401 edits
fix citation fmt
Malleus Fatuorum (talk | contribs)
145,401 edits
m fixed dashes using a script
Line 1:
{{HTTP}}
A '''cookie''', also known as a '''HTTP cookie''', '''web cookie''', or '''browser cookie''', is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site.<ref>{{cite web | url = http://tools.ietf.org/html/rfc6265#section-3 | work=IETF | title= HTTP State Management Mechanism - Overview |date=2011-04}}</ref> The state information can be used for [[authentication]], identification of a user [[http session|session]], user's preferences, [[Shopping cart software|shopping cart]] contents, or anything else that can be accomplished through storing text data.
 
As text, cookies are not [[executable]]. Because they are not executed, they cannot replicate themselves and are not [[Computer virus|viruses]]. However, they can be used by [[spyware]] to track user's browsing activities - a major privacy concern that prompted stricter laws.<ref name=eulaw>{{cite news | url = http://www.bbc.co.uk/news/technology-12668552 | work= BBC | title=New net rules set to make cookies crumble | date=2011-03-08}}</ref> Cookies could also be stolen by [[Hacker_(computer_security)|hackers]] to gain access to a victim's web account.<ref>{{cite web|url= http://news.cnet.com/8301-10789_3-9918582-57.html |first=Robert |last=Vamosi | title=Gmail cookie stolen via Google Spreadsheets |date=2008-04-14}}</ref>
 
== History ==
Line 28:
 
=== HttpOnly cookie ===
The HttpOnly cookie is supported by most modern browsers.<ref name="httponlyrfc">IETF [http://tools.ietf.org/html/rfc6265 HTTP State Management Mechanism - Apr, 2011] Obsoletes RFC 2965.</ref> On a supported browser, a HttpOnly cookie will only be used when transmitting HTTP (or HTTPS) requests. In addition, the cookie value is not available to client side script (such as Javascript), thereby mitigating the threat of cookie theft via [[Cross-site scripting]].
 
=== Third-party cookie ===
Line 71:
Cookies are arbitrary pieces of data chosen by the [[Web server]] and sent to the browser. The browser returns them unchanged to the server, introducing a [[state (computer science)|state]] (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a [[Web page]] or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. Other than being set by a web server, cookies can also be set by a [[Scripting programming language|script]] in a language such as [[JavaScript]], if supported and enabled by the Web browser.
 
Cookie specifications<ref name="httponlyrfc" /><ref>{{cite web | title=Persistent client state HTTP cookies: Preliminary specification | url=http://wp.netscape.com/newsref/std/cookie_spec.html | archiveurl=http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html | work= | publisher=Netscape | archivedate=2007-08-05 | date=c1999 | accessdate= }}</ref><ref>RFC 2965 - HTTP State Management Mechanism ([[Internet Engineering Task Force|IETF]])</ref> suggest that browsers should be able to save and send back a minimal number of cookies. In particular, an internet browser is expected to be able to store at least 300 cookies of four [[kilobyte]]s each, and at least 20 cookies per server or [[Internet ___domain|___domain]].
 
=== Setting a cookie ===
Line 345:
 
=== window.name ===
All current web browsers can store a fairly large amount of data (2-322–32 MB) via JavaScript using the [[DOM]] property window.name. This data can be used instead of session cookies and is also cross-___domain. The technique can be coupled with [[JSON]]/JavaScript objects to store complex sets of session variables<ref>{{cite web|url=http://www.thomasfrank.se/sessionvars.html |title=ThomasFrank.se |publisher=ThomasFrank.se |date= |accessdate=2010-05-22}}</ref> on the client side.
 
The downside is that every separate window or [[Tabbed document interface|tab]] will initially have an empty ''window.name''; in times of [[Tabbed document interface|tabbed browsing]] this means that individually opened tabs ''(initiation by user)'' will not have a window name. Furthermore ''window.name'' can be used for tracking visitors across different web sites, making it of concern for [[Internet privacy]].
Line 356:
== See also ==
* [[Dynamic HTML]]
* [[Local Shared Object]] - Flash Cookies
* [[Session Beans]]
* [[Session (computer science)]]
Line 374:
== External links ==
{{Spoken Wikipedia|HTTP_cookie.ogg|2011-04-10}}
* RFC 6265 - the official specification for HTTP cookies
* {{HSW|cookie|How Internet Cookies Work}}
* [http://www.microsoft.com/info/cookies.mspx Information About Cookies] from [[Microsoft]]
* [http://epic.org/privacy/internet/cookies/ Cookies] at the Electronic Privacy Information Center (EPIC)
* [http://cpe.njit.edu/dlnotes/CIS/CIS350/TakingTheByteOutOfCookies.pdf Taking the Byte Out of Cookies: Privacy, Consent, and the Web] (PDF)
* [http://archive.cabinetoffice.gov.uk/e-government/resources/handbook/html/4-7.asp Web handbook - Cookies] from Delivery And Transformation Group, Cabinet Office, UK
* [http://www.comscore.com/press/release.asp?press=1389 Cookie-Based Counting Overstates Size of Web Site Audiences] at ComScore
* [http://www.pbs.org/mediashift/2007/11/dont_tread_on_our_cookiesthe_w.html Don’t Tread on Our Cookies - The Web Privacy Manifesto] at PBS
* [http://support.mozilla.com/en-US/kb/Cookies Mozilla Knowledgebase: Cookies]
 
Retrieved from "https://en.wikipedia.org/wiki/HTTP_cookie"