Cookies
Revealed
[By Abhishek Bhuyan]
What is a “Cookie”?
A “cookie” is a small piece of information sent by a web server to be stored on
a web browser so that it can later be read back from that browser. This becomes
useful for having the browser remember specific information about a visitor to
a particular website. The cookie is a text file that is saved in the browser’s
directory and is stored in RAM while the browser is running. The cookie may
also be stored on the computer’s hard drive once a user logs off from that
website or web server.
Cookies are a very important method for maintaining ‘state’ on the Web. What
does that mean? ‘State’ refers to the application ability to work interactively
with the user. For example, when you book yourself for a train/bus you get a
ticket. On the date of journey, when you show this ticket, you will be allowed
to enter the train/bus else the ticket collector will not know if you are the
right person or a new customer. Here ticket is critical to maintain state
between you and ticket collector.
HTTP is a ‘stateless’ protocol. This means that each visit to a site (or clicks
within a site) is seen by the server as the first visit by the user. That means
the server forgets everything after each request, unless it can somehow mark a
visitor ( i.e ‘Yes he is the
right traveler’) to help it remember.
Cookies do this job.
Cookies can only tell a web server if you have been there before and can pass short bits of information (such as a user number) from the web server back to itself the next time you visit. Most cookies last only until you quit your browser and then are destroyed. A second type of cookie known as a persistent cookie has an expiration date and is stored on your disk until that date. A persistent cookie can be used to track a user's browsing habits by identifying him whenever he returns to a site. Information about where you come from and what web pages you visit already exists in a web server's log files and could also be used to track users browsing habits, cookies just make it easier.
How do I examine Persistent Cookies already
my own System?
Persistent cookies are stored in different places on your system depending on
which web browser and browser version you are using. Netscape stores all its
persistent cookies in a single file named cookies.txt on the PC
. Both files are in the Netscape directory. You can open and edit this
file with a text editor and delete any cookies that you don't want to keep or
delete the file itself to get rid of all of your cookies. Internet Explorer
stores persistent cookies in separate files named with the user's name and the
domain name of the site that sent the cookie. For example: yourname@ciac.txt.
The cookie files are stored in /Windows/cookies or in /Windows/profiles/
WEBTRENDS_ID
61.1.129.58-1041789995.121030
www.bazee.com/
1024
3872737152
30271763
3731731632
29537508
*
This particular cookie file was named abhishek@www.bazee.txt (abhishek is my user name, I logged in). Cookie may contain
different information; it depends on cookie to cookie. Here my IP address is stored(61.1.129.58) .
We will not go into details now.
What Are Cookies Used For?
One use of cookies is for storing passwords and user ID’s for specific
websites. Also, they are used to store preferences of start pages. On sites
with personalized viewing, your web browser will be requested to utilize a
small amount of space on your computer’s hard drive to store these preferences.
That way, each time you log on to that website, your browser will check to see
if you have any pre-defined preferences (a cookie) for that unique server. If
you do, the browser will send the cookie to the server along with your request
for a web page. Microsoft and Netscape use cookies to create personal start
pages on their websites. Common uses for which companies utilize cookies
include: on-line ordering systems, site personalization, and website tracking.
Cookies have some beneficial things. Site personalization is one of the most beneficial uses for cookies. For example, a person comes to the CNN or even Yahoo!(My Yahoo) site, but does not want to see any business news. The site allows the person to select this choice as an option. From then on (or until the cookie expires), the person would not see business news when they access the CNN web pages. You must have also seen in some websites that when you log in (using a User ID & Password), there is an option for ‘remember me when I visit next time’; that’s possible because it stored your password and id on your machine in a cookie.
Some visitors feel it is an invasion of privacy for a website to track their
progress on a site. It helps to get you the information or services you seek as
quickly as possible and allow you to get back to work without delay. Site
navigation statistics are critical to the continuing redesign of the site. Site
administrator might need to know if 100 different people visited his site or if
one person (or robot) continuously hit the reload button 100 times.
Cookies also have some demerits. Let me give you a example(real
life). The DoubleClick
Network is a system created by the DoubleClick
Corporation to create profiles of individuals using the World Wide Web and to
present them with advertising banners customized to their interests. DoubleClick's primary customers are Web sites looking to
advertise their services. Each member of the DoubleClick
Network becomes a host for the advertising of other members of the network.
When a Web site joins DoubleClick it creates
advertisements for its services and submits them to DoubleClick's
server. The Web site then modifies its HTML pages to include an <IMG>
graphic that points to DoubleClick. When a user goes
to view one of these modified HTML pages, her browser makes a call to DoubleClick's server to retrieve the graphic. The server
chooses one of its member's advertisements and returns it to the browser. If
the user reloads the page, a different advertisement appears. If the user
clicks on the graphic, her browser jumps to the advertised site. Currently many
hundreds of sites belong to DoubleClick.
From the user's point of view DoubleClick's graphics
appear no different from any other Web advertisement, and there's no visible
indication of anything special about the graphic. However, there is an
important difference. When a user first connects to the DoubleClick
server to retrieve a graphic, the server assigns the browser a cookie that
contains a unique identification number. From that time forward whenever the
user connects to any Web site that subscribes to the DoubleClick Network, her browser returns the identification
number to DoubleClick's server, allowing the server
to recognize her. Over a period of time DoubleClick
compiles a list of which member sites the user has visited and revisited, using
this information to create a profile of the user's tastes and interests. With
this profile in hand the DoubleClick server can
select advertising that is likely to be of interest to the user. It can also
use this information to compile valuable feedback for its member Web sites,
such as providing them with audience profiles and rating the effectiveness of
the advertisements.
So how do I know that I have been tracked by DoubleClick ? Well to find out whether you have been
tracked by DoubleClick, examine your browser's cookies
file in cookies directory . There will be something like this
ad.doubleclick.net FALSE / FALSE 942195440 IAA d2bbd5
How Do These Cookies Work?
A command line in the HTML code of a document tells the browser to set a cookie
of a certain name or value. The following is a general example of a script used
to set a cookie.
Set-Cookie: name = VALUE;
expires = DATE;
path = PATH;
domain = DOMAIN_NAME; secure
Lets go a bit detail of all these
attributes….
name=VALUE
This string is a sequence of characters
excluding semi-colon, comma and white space. If there is a need to place such
data in the name or value, some encoding method such as URL style %XX encoding
is recommended, though no encoding is defined or required.
This is the only required attribute on the Set-Cookie header.
expires = DATE
The expires attribute specifies
a date string that defines the valid life time of that cookie. Once the
expiration date has been reached, the cookie will no longer be stored or given
out.
The date string is formatted as:
Wdy, DD-Mon-YYYY HH:MM:SS GMT
expires is an optional attribute. If not specified, the cookie
will expire when the user's session ends.
domain = DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain
attributes of the cookie is made with the Internet domain name of the host from
which the URL will be fetched. If there is a tail match, then the cookie will
go through path matching to see if it should be sent. "Tail
matching" means that domain attribute is matched against the tail
of the fully qualified domain name of the host. A domain attribute of
"internet.com" would match host names "people.internet.com"
as well as "shipping.computer.internet.com".
Only hosts within the specified domain can set a cookie for a domain and
domains must have at least two (2) or three (3) periods in them to prevent
domains of the form: ".com", ".edu",
and "lu.in". Any domain that fails within one of the seven special
top level domains listed below only require two periods. Any other domain
requires at least three. The seven special top level domains are:
"COM", "EDU", "NET", "ORG",
"GOV", "MIL", and "INT".
The default value of domain is the host name of the server which
generated the cookie response.
Path = PATH
The path attribute is used to specify the subset of
URLs in a domain for which the cookie is valid. If a cookie has already passed domain
matching, then the pathname component of the URL is compared with the path
attribute, and if there is a match, the cookie is considered valid and is sent
along with the URL request. The path "/foo" would match "/foobar"
and "/foo/bar.html". The path "/" is the most
general path.
If the path is not specified, it as assumed to be the same path as the
document being described by the header which contains the cookie.
secure
If a cookie is marked secure, it will only be
transmitted if the communications channel with the host is a secure one.
Currently this means that secure cookies will only be sent to HTTPS (HTTP over
SSL) servers.
If secure is not specified, a cookie is considered safe to be sent in
the clear over unsecured channels.
An HTTP Cookie cannot be used to retrieve personal data from your hard drive, install a virus, get your email address, or steal sensitive information about who you are; however, an HTTP Cookie may be used to track where you travel over a particular site. Site tracking cannot easily be done without the use of cookies as you have seen in the above example.
As with everything else about the Internet, you are only as anonymous as you
wish to be. No website knows who you are until you reveal to it who you are. In the meantime, a cookie is simply a means of
tracking site statistics in order to better understand usage patterns and to
improve visitor productivity. A cookie is the way of remembering that
information. If a website designer desires to make web pages become more
interactive with visitors, or if the designer plans on letting visitors
customize the appearance of the site, then they will need cookies. Also, if you
want your site visits to change appearances under certain circumstances,
cookies provide a quick and easy way to let your HTML pages change as required.
The newest servers use cookies to help with database interactivity, which can
improve the overall interactivity of the website.
I hope now you understand the pros and cons of Cookies. This is not over yet.
In my next article I’ll be explaining more details about cookies, how to hack
those, cookie hijacking , using those how to spoof,
& countermeasures.
Abhishek Bhuyan
lucky@lucky-web.net
http://www.lucky-web.net
To receive tutorials on various topics related to
Hacking, Networking, Security..... join mailing list by sending a
blank email to : luckyweb_members-subscribe@yahoogroups.com