Wikipedia

HTTP cookie: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Third-party cookie: Add Chrome version (from provided supporting source)
m clean up, typo(s) fixed: wide-spread → widespread
Line 17:
 
===Origin of the name===
The term ''cookie'' was coined by web-browser programmer [[Lou Montulli]]. It was derived from the term ''[[magic cookie]]'', which is a packet of data a program receives and sends back unchanged, used by [[Unix]] programmers.<ref name="wdi6I">{{cite web|url=http://dominopower.com/article/where-cookie-comes-from/|title=Where cookie comes from :: DominoPower|website=dominopower.com|access-date=19 October 2017|archive-url=https://web.archive.org/web/20171019174750/http://dominopower.com/article/where-cookie-comes-from/|archive-date=19 October 2017|url-status=live}}</ref><ref name="xVtjM">{{cite web|editor-last1=Raymond|editor-first1=Eric |title=magic cookie|url=http://catb.org/jargon/html/M/magic-cookie.html|website=The Jargon File (version 4.4.7)|access-date=8 September 2017|archive-url=https://web.archive.org/web/20170906230653/http://www.catb.org/jargon/html/M/magic-cookie.html|archive-date=6 September 2017|url-status=live}}</ref>
 
===History===
Line 24:
Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of [[Netscape Navigator|Mosaic Netscape]], released on October 13, 1994,<ref name="JgNeY">{{cite web |url=http://wp.netscape.com/newsref/pr/newsrelease1.html |title=Press Release: Netscape Communications Offers New Network Navigator Free On The Internet |access-date=2010-05-22 |archive-url = https://web.archive.org/web/20061207145832/http://wp.netscape.com/newsref/pr/newsrelease1.html |archive-date=2006-12-07}}</ref><ref name="8YpTv">{{cite web |url=https://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328 |title=Usenet Post by Marc Andreessen: Here it is, world! |date=1994-10-13 |access-date=2010-05-22 |archive-url=https://web.archive.org/web/20110427123350/http://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328 |archive-date=2011-04-27 |url-status=live}}</ref> supported cookies.<ref name="kristol" /> The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, which was granted in 1998.<ref>{{Cite patent|country=US|number=5774670|pubdate=1998-06-30|title=Persistent client state in a hypertext transfer protocol based client-server system|assign1=[[Netscape Communications Corp.]]|inventor1-last=Montulli|inventor1-first=Lou}}</ref> Support for cookies was integrated with [[Internet Explorer]] in version 2, released in October 1995.<ref name="95BiI">{{cite news |first=Sandi |last=Hardmeier |url=https://www.microsoft.com/windows/IE/community/columns/historyofie.mspx |title=The history of Internet Explorer |publisher=Microsoft |date=2005-08-25 |access-date=2009-01-04 |archive-url=https://web.archive.org/web/20051001113951/http://www.microsoft.com/windows/IE/community/columns/historyofie.mspx |archive-date=2005-10-01 |url-status=live}}</ref>
 
The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of their presence.{{cncitation needed|date=October 2022|reason=This is most likely incorrect, as at least Internet Explorer had very prominent cookie warnings and required explicit permission to accept any.}} The public learned about cookies after the ''[[Financial Times]]'' published an article about them on February 12, 1996.<ref name="B3JMd">{{cite news|last=Jackson|first=T|title=This Bug in Your PC is a Smart Cookie|newspaper=Financial Times|date=1996-02-12}}</ref> In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. [[Federal Trade Commission]] hearings in 1996 and 1997.<ref name="UjTred" />
 
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk [[electronic mailing list|mailing list]]. A special working group within the [[Internet Engineering Task Force]] (IETF) was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by [[Brian Behlendorf]] and David Kristol respectively. But the group, headed by Kristol himself and Lou Montulli, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.<ref name="RFC2109">{{Cite ietf|rfc=2109 |section=8.3 }}</ref> At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
Line 40:
A ''persistent cookie'' expires at a specific date or after a specific length of time. For the persistent cookie's lifespan set by its creator, its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).
 
For this reason, persistent cookies are sometimes referred to as ''tracking cookies''{{cncitation needed|date=October 2022}} because they can be used by advertisers to record information about a user's web browsing habits over an extended period of time. Persistent cookies are also used for reasons such as keeping users logged into their accounts on websites, to avoid re-entering login credentials at every visit. {{Crossreference|selfref=no|(See {{section link||Uses}}, below.)}}
 
===Secure cookie===
Line 229:
The industry's response has been largely negative. Robert Bond of the law firm Speechly Bircham describes the effects as "far-reaching and incredibly onerous" for "all UK companies". Simon Davis of [[Privacy International]] argues that proper enforcement would "destroy the entire industry".<ref name="sKaxf">{{cite magazine|title=EU cookie law: stop whining and just get on with it|magazine=Wired UK|url=https://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning|access-date=31 October 2012|archive-url=https://web.archive.org/web/20121115110013/http://www.wired.co.uk/news/archive/2012-05/24/eu-cookie-law-moaning|archive-date=15 November 2012|url-status=live|date=2012-05-24}}</ref> However, scholars note that the onerous nature of cookie pop-ups stems from an attempt to continue to operate a business model through convoluted requests that may be incompatible with the GDPR.<ref name="Veale"/>
 
Academic studies and regulators both describe wide-spreadwidespread non-compliance with the law. A study scraping 10,000 UK websites found that only 11.8% of sites adhered to minimal legal requirements, with only 33.4% of websites studied providing a mechanism to reject cookies that was as easy to use as accepting them.<ref name=":0"/> A study of 17,000 websites found that 84% of sites breached this criterion, finding additionally that many laid third party cookies with no notice at all.<ref>{{cite book | last1=Kampanos | first1=Georgios | last2=Shahandashti | first2=Siamak F. | series=IFIP Advances in Information and Communication Technology | volume=625 | title=ICT Systems Security and Privacy Protection | chapter=Accept All: The Landscape of Cookie Banners in Greece and the UK | publisher=Springer International Publishing | publication-place=Cham | year=2021 | isbn=978-3-030-78119-4 | issn=1868-4238 | doi=10.1007/978-3-030-78120-0_14 | pages=213–227|arxiv=2104.05750| s2cid=233219491 }}</ref> The UK regulator, the [[Information Commissioner's Office]], stated in 2019 that the industry's 'Transparency and Consent Framework' from the advertising technology group the [[Interactive Advertising Bureau]] was 'insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR [e-Privacy] compliance.'<ref name=":2" /> Many companies that sell compliance solutions (Consent Management Platforms) permit them to be configured in manifestly illegal ways, which scholars have noted creates questions around the appropriate allocation of liability.<ref>{{Citation|last1=Santos|first1=Cristiana|date=2021|url=https://link.springer.com/10.1007/978-3-030-76663-4_3|work=Privacy Technologies and Policy|volume=12703|pages=47–69|editor-last=Gruschka|editor-first=Nils|place=Cham|publisher=Springer International Publishing|language=en|doi=10.1007/978-3-030-76663-4_3|isbn=978-3-030-76662-7|access-date=2021-06-06|last2=Nouwens|first2=Midas|last3=Toth|first3=Michael|last4=Bielova|first4=Nataliia|last5=Roca|first5=Vincent|title=Consent Management Platforms Under the GDPR: Processors and/Or Controllers? |series=Lecture Notes in Computer Science |editor2-last=Antunes|editor2-first=Luís Filipe Coelho|editor3-last=Rannenberg|editor3-first=Kai|editor4-last=Drogkaris|editor4-first=Prokopios|arxiv=2104.06861|s2cid=233231428}}</ref>
 
A [[W3C]] specification called [[P3P]] was proposed for servers to communicate their privacy policy to browsers, allowing automatic, user-configurable handling. However, few websites implement the specification, and the W3C has discontinued work on the specification.<ref>{{Cite web|title=P3P: The Platform for Privacy Preferences|url=https://www.w3.org/P3P/Overview.html|access-date=2021-10-15|website=www.w3.org}}</ref>
Retrieved from "https://en.wikipedia.org/wiki/HTTP_cookie"