|
A '''cookie''', also known as a '''HTTP cookie''', '''web cookie''', or '''browser cookie''', is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site.<ref>{{cite web | url = http://tools.ietf.org/html/rfc6265#section-3 | work=IETF | title= HTTP State Management Mechanism – Overview |date=2011-04}}</ref> The state information can be used for [[authentication]], identification of a user [[http session|session]], user's preferences, [[Shopping cart software|shopping cart]] contents, or anything else that can be accomplished through storing text data.
As text, cookiesCookies are not [[executable]]software. BecauseThey theycan't arebe notprogrammed, executedcan't carry viruses, theyand cannotcan't replicateunleash themselvesmalware andto arego notwilding through your hard drive.<ref>Adam Penenberg. [http://www.slate.com/id/2129656/ Cookie Monsters]. [[ComputerSlate virus(magazine)|virusesSlate]]., November 7, 2005</ref> However, they can be used by [[spyware]] to track user's browsing activities – a major privacy concern that prompted stricterEurope lawsand US law makers to take actions.<ref name=eulaw>{{cite news | url = http://www.bbc.co.uk/news/technology-12668552 | work= BBC | title=New net rules set to make cookies crumble | date=2011-03-08}}</ref> <ref>{{cite web | url = http://adage.com/article/digital/sen-rockefeller-ready-a-real-track-bill/227426/ | work=Adage.com |title=Sen. Rockefeller: Get Ready for a Real Do-Not-Track Bill for Online Advertising | date=2011-05-06}}</ref> Cookies could also be stolen by [[Hacker_(computer_security)|hackers]] to gain access to a victim's web account.<ref>{{cite web|url= http://news.cnet.com/8301-10789_3-9918582-57.html |first=Robert |last=Vamosi | title=Gmail cookie stolen via Google Spreadsheets |date=2008-04-14}}</ref>
== History ==
An HttpOnly attribute tells the browser to only use the cookie for the HTTP protocol. The cookie is not visible to client side scripts, and therefore cannot be stolen via [[cross-site scripting]] (a pervasive attack technique<ref name=Symantec-2007-2nd-exec>{{cite journal|title=Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary)|publisher=Symantec Corp.|volume=XIII|pages=1–3|month=April | year=2008|url=http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf|format=PDF|accessdate=May 11, 2008}}</ref>). As shown in previous examples, both Facebook and Google use HttpOnly attribute extensively.
== Misconceptions ==
Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media.<ref>{{cite web|url=http://www.theallineed.com/computers/05072901.htm |title=Contrary to popular belief, cookies are good for you! (on the Internet) |publisher=The All I Need |date= |accessdate=2009-01-04}}</ref><ref>Keith C. Ivey [http://web.archive.org/web/20071211085115/http://www.eeicommunications.com/eye/utw/98feb.html Untangling the Web Cookies: Just a Little Data Snack]. 1998</ref> In 1998, [[Computer Incident Advisory Capability|CIAC]], a computer incident response team of the [[United States Department of Energy]], found the security vulnerability "essentially nonexistent" and explained that "information about where you come from and what web pages you visit already exists in a web server's log files".<ref>{{cite web|title=I-034: Internet Cookies|url=http://www.ciac.org/ciac/bulletins/i-034.shtml|publisher=CIAC, United States Department of Energy (ciac.org)|date=March 12, 1998, revised February 1, 2007|accessdate=2007-11-05}}</ref> In 2005, [[Jupiter Research]] published the results of a survey,<ref>Brian Quinton. [http://searchlineinfo.com/InsightExpress_cookie_study/ Study: Users Don't Understand, Can’t Delete Cookies]. Direct. May 18, 2005</ref> according to which a consistent percentage of respondents believed some of the following '''false''' claims:
The following are '''false''':
* Cookies are like [[Computer virus|viruses]] in that they can infect the user's hard disks
* Cookies generate [[Context menu|pop-ups]]
* Cookies are used for [[spam (electronic)|spamming]]
* Cookies are used only for [[advertising]]
According to the same survey, a large percentage of Internet users do not know how to delete cookies.
Cookies cannot erase or read arbitrary information from the user's computer.<ref>Adam Penenberg. [http://www.slate.com/id/2129656/ Cookie Monsters]. [[Slate (magazine)|Slate]], November 7, 2005</ref> However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites.
== Browser settings ==
| 