Tangled Webs
My Hand in the Cookie Jar
Apr 9, 1997
Issue 2.5

Want a Cookie, Little Girl?

No one really knows why they are called "cookies," let alone "magic cookies," but that's what Netscape called them when they announced them nearly two years ago. The name stuck. A popular explanation is that the name stems from an old Unix program that provided a different "fortune cookie" every time a use logged on, but I prefer Netscape's explanation; "that's just what they're called."

Nomenclature aside, the most confusing thing about magic cookies is exactly what they do. Although they have been around since the Internet's Jurassic period, over the past few months many have seized on them as the latest danger on the Internet.

If reports are to be believed, magic cookies are the worst thing since the good times virus. They will invade your privacy, steal your credit card numbers, and provide your most personal information to unscrupulous direct marketers. Let's take a look at how dangerous these cookies really are, and whether or not we should be accepting cookies from strangers.



Cookie Recipies
Cookies were developed because http is stateless. In case you don't speak geek, I'll explain. Hypertext transfer protocol (http) is the language your browser uses to request web pages. Web servers respond by sending the file you requested and then forgetting all about the transaction. Much like the Clinton White House, a web server has no idea who is requesting files, which files they have seen, or why the requests were made.

From the user's point of view, browsing a web site is a continuous stream of events, but from the server's it is dozens, perhaps hundreds, of separate, unrelated document requests. This simple design makes the server very efficient, but presents some problems for those who wish to develop or use sophisticated web sites. In such site, what the user has seen so far is inevitably important. Cookies are one way -- and by far the easiest way - of solving this problem of statelessness.

The cookie is actually just some text that the server sends to your browser, and which your browser then stores on your hard drive. By asking for its cookie back, the server can identify the user making the request and customize its output accordingly.

A typical cookie looks something like

	CUSTOMER=6719243

Cookies can provide real benefits for the user. They allow servers to do things like generate a list of pages that have changed since your last visit. They can also be used to store your password and username so you don't have to log into a site every time you visit. Microsoft Network and Infoseek both use cookies to remember user IDs and preferences and then create pages tailored to individual users.

What prevents cookies from becoming an invasion of privacy is that a server can only retrieve cookies that it created. My server has no way of reading a cookie placed on your hard drive by the Microsoft server and vice versa. Nor is there any way a cookie can be used to retrieve your credit card numbers or e-mail address unless you specifically provide the server with that information via a fill-out form.



Tossing Your Cookies
Feeling relieved and secure? Good. So was I when I found out what Internet advertising brokers like DoubleClick had found a way to use cookies to track you from site to site. These companies are responsible for placing many of the advertising banners littering the Web. Since the graphics for these ads are all stored on DoubleClick's server, it can request the DoubleClick cookie from you whenever you browse a site with a DoubleClick banner.

In this way DoubleClick can build a profile of your likes and dislikes based on the sites you have visited, and target you for specific kinds of advertising. Although I find this practice somewhat distasteful, it is important to remember that they still have no idea who you are. They only know you as Customer 6719243. Besides it is easy to thwart them if you don't like the idea of someone building a profile of you.

Both Internet Explorer and Netscape Navigator can be configured to warn the user before accepting a cookie. Unfortunately, some sites try to shove a lot of cookies down your throat, and clicking through a dozen dialog boxes every time you load a page makes for maddening surfing.

Fortunately, there are numerous shareware and freeware solutions. The simplest just delete all cookies from your hard drive. Some of the more sophisticated refuse all cookies and do not pop open a dialog box, and a new generation of programs can be configured to accept cookies from certain sites and refuse them from others.

There are too many good choices for me to make brief recommendations. You can decide for yourself by going to http://www.shareware.com, selecting the type of computer you own and searching on "cookie."



The Cookie Jar
Where your cookies are hiding depends on which browser and computer you are using. Cookies are just text files, so you can open them with any text editor or word processor.

Netscape WinC:\Programs\Netscape\Navigator\cookies.txt
Netscape MacSystem Folder:Preferences:Netscape f:MagicCookie
Explorer WinC:\Windows\Cookies\
Explorer MacSystem Folder:Preferences:Explorer:Explorer Cashe:cookies.txt

[ Home Page] [ Back to Index ] [ Previous Issue ] [ Next Issue ]

© Copyright 1997, Tim Romero, t3@t3y.com
Tangled Webs may be distributed freely provided this copyright notice is included.
The Tangled Webs Archive is located at http://www.dotco.com/t3/tangledwebs/index.shtml