Lectures Notes : Cookies

Slide 1 : 1/16: Cookies

COMP1710 Web Development and Design

Cookies

Click here to start or press 's'tart or 'i',

then 'n'ext or 'b'ack

Click here for the 't'able of Contents

Slide 2 : ToC : Cookies

Table of Contents (16 slides) for the presentation :

Cookies

Slide 1 : Cookies

Slide 2 : ToC : Cookies

Slide 3 : Cookies

Slide 4 : State

Slide 5 : State management

Slide 6 : Request-Reply Model

Slide 7 : Request-Reply Model

Slide 8 : Cookies

Slide 9 : Cookies on Client

Slide 10 : Cookie interaction

Slide 11 : Using Javascript

Slide 12 : Example Javascript

Slide 13 : Legitimate uses of Cookies

Slide 14 : Less Legitimate uses of Cookies

Slide 15 : Privacy and Cookies

Slide 16 : ToC : Cookies

Slide 3 : 3/16: Cookies

COMP1710

Web Development and Design

This lecture is mostly based on this lecture on Cookies

Slide 4 : 4/16: State

State

is a system's configuration, attributes, condition, or information content

temporary: changes with time

volatile: it will be lost or reset to some initial state if the system is switched off

simple example: a light, which is either on or off

complex example: electrical activation in a human brain while solving a problem

in computing states are usually discrete, with instantaneous transitions

HTTP is stateless

All HTTP requests are independent of preceding requests

Each HTTP response depends entirely on the information contained in the corresponding request

Advantage: allows a simple and efficient Web server implementation

Disadvantage: complex Web applications are rather difficult / complex

Slide 5 : 5/16: State management

State management

Overcomes HTTP limitations

Allows Web clients and servers to maintain a relationship between requests

The period during which this relationship holds is called a session

Most Web applications that require you to log in use sessions and state management

E.g. Shopping cart applications use state management to hold a list of all items marked for purchase

Cookies are a component of state management.

Cookies are small pieces of text stored by the server on the local machine and sent with every request to that same server

The IETF RFC 2965 HTTP State Management Mechanism is the current cookie specification.

Reference: a recipe for Slide 6 : 6/16: Request-Reply Model

Typical request (from browser to server)

GET /index.html HTTP/1.0
Accept: text/html, image/gif, image/jpeg
Accept-Language: en

Headers contain information about supported formats and languages, and information about the content.

Once the request is sent, http closes the connection and "forgets" about it.

The server might keep a log of the transaction, but it does not use the logged info to track users.

References for this and subsequent slides: puma.wellesley.edu

Slide 7 : 7/16: Request-Reply Model

Typical reply (from server to browser)

HTTP/1.0 200 OK
Date: Fri, 20 Apr 2005 16:20:00 GMT
Server: Apache/1.3.9 (Linux)
Content-Length: 141
Content-Type: text/html

<html>
<body>
The web page's contents etc.
</body>
</html>

Slide 8 : 8/16: Cookies

Cookies

Along with a reply, server sends some additional information in the header

HTTP/1.0 200 OK
Content-Length: 141
Content-Type: text/html
Set-Cookie: user_id=12345; domain=.wellesley.edu;
expires=Mon, 23-Apr-2005

... content follows

The first name-value pair determines the name of the cookie and a special value, often used to identify the user.

The domain value determines what sites can access this cookie (usually only the site that issued it).

Other values determine when the cookie expires, which URLs require this cookies, etc.

Clients have the option of refusing cookies (meaning that they do not store them or do not submit them with requests).

Most browsers will refuse a cookie if it directs them to submit information to a third party (not the site that issued the cookie). You can usually configure this.

Slide 9 : 9/16: Cookies on Client

Cookies live on the client

For all page requests (in other words, every time you visit a web page), your browser (the client) compares the web page's URL to the cookies in the "cookie jar" and sends all the unexpired cookies that match the domain and path.

GET /index.html HTTP/1.0
Accept: text/html, image/gif, image/jpeg
Accept-Language: en
Cookie: user_id=12345

The total size of a cookie must be less than 4KB. In practice, it's usually only a few bytes.

The client may hold up to 20 cookies for a given domain, and up to 300 cookies total.

A request might carry more than one cookie.

Your browser can also add cookies to the cookie jar; it doesn't have to come from the server.

Slide 10 : 10/16: Cookie interaction

A schematic of cookie interaction

Browser sends a request to the server. Since the user has never visited that site before, there are no cookies, so none are sent.

The server notices that there are no cookies, so it assumes that this a new visitor, and it generates a new ID for the user and includes that ID as a cookie in the reply. The reply might even be tailored for new visitors.

The browser later (minutes or months later) makes another request at that site and sends back the cookie it got in step 2.

The server gets the request with the cookie, realizes this is a returning visitor, and can generate a customized reply.

Slide 11 : 11/16: Using Javascript

Using Javascript to customise the reply

The document returned by the server might have some JavaScript in it, and the JavaScript code can also look at the cookie file and customize things.

An example is a page that uses cookies to identify repeat visitors.

In this example, the server always returns the same page, whether it gets a cookie or not. In general, the server might do different things depending on the cookie.

The JavaScript on the page checks the cookies for this document, using the object document.cookie

If there's no cookie, we generate an ID for the new user and set a cookie. The ID is based on the timestamp of the connection and will be nearly random.

On subsequent visits, the user's ID is sent to the server in the cookie.

The server might use the ID to look up information in a database.

The database might contain information about previous visits, the pages this user has visited, any information this user has provided in the past.

If there is a cookie, the JavaScript generates a special greeting.

Slide 12 : 12/16: Example Javascript

The example using Javascript

var now = new Date();
var timestamp = now.getTime();

var cookie = document.cookie;
var index = cookie.indexOf ("user_id");

if (index == -1) {
    document.write ("It looks like you have not been here before.<br>");
    var userid = "user" + timestamp;
    document.write ("From now on I will call you " + userid + ".<br>");
    document.cookie = "user_id=" + userid;
} else {
    document.write ("Hey, I know you!<br>");
    document.write ("You sent me a cookie containing:<br>");
    document.write (cookie);
}

Slide 13 : 13/16: Legitimate uses of Cookies

Legitimate uses of Cookies

Provide new user information once, or skip an introduction on subsequent visits. Here is an example using music.

Users can avoid typing information every time they revisit. For example, tvguide.com

A user_id allows the server to accumulate information during a visit; for example, a shopping cart.

Slide 14 : 14/16: Less Legitimate uses of Cookies

Less Legitimate uses of Cookies

Serious questions about privacy and security

Is the convenience of the WWW worth giving up what you consider to be personal, private or sensitive information?

Violations of privacy: clickstream (possibly with embedded query information), DoubleClick, software configuration (OS and browser), contents of any JavaScript variable.

Sites track users, analyze access patterns (within their own sites).

A site can instruct your browser to provide information to a third party (many browsers refuse).

From the W3C Security FAC, some more information about cookies and their security risks

Slide 15 : 15/16: Privacy and Cookies

Privacy and Cookies

Cookies can, and often do, pose a privacy risk because they allow a variety of web sites and "spyware" programs to build a personal "profile" of who you are and what you do.

For example you might allow your favorite weather web site to store your postcode to a cookie so you can get the local forecast every morning without having to retype your postcode.

This seems fine since the weather web site doesn't know who you are.

But what you may not realize is that the weather web site may work with a network of other web sites to compile all your little pieces of information (like postcode) into a single, amazingly complete, demographic profile.

And this isn't just your name and address. It's your opinions (ever answered an online poll?), your purchases (ever bought anything online), and your web usage patterns.

The best way to avoid privacy issues is to

make sure your computer is free of spyware,

disable third-party cookies, and

read the privacy statements of sites you use.

Reference: www.commercialinstitute.com

Slide 16 : ToC : Cookies

Table of Contents (16 slides) for the presentation :

Cookies

Slide 1 : Cookies

Slide 2 : ToC : Cookies

Slide 3 : Cookies

Slide 4 : State

Slide 5 : State management

Slide 6 : Request-Reply Model

Slide 7 : Request-Reply Model

Slide 8 : Cookies

Slide 9 : Cookies on Client

Slide 10 : Cookie interaction

Slide 11 : Using Javascript

Slide 12 : Example Javascript

Slide 13 : Legitimate uses of Cookies

Slide 14 : Less Legitimate uses of Cookies

Slide 15 : Privacy and Cookies

Slide 16 : ToC : Cookies

Lectures Notes : Cookies

COMP1710 Web Development and Design

Cookies

Click here to start or press 's'tart or 'i',

then 'n'ext or 'b'ack

Click here for the 't'able of Contents

Table of Contents (16 slides) for the presentation :

Cookies

COMP1710

Web Development and Design

This lecture is mostly based on this lecture on Cookies

State

is a system's configuration, attributes, condition, or information content

temporary: changes with time

volatile: it will be lost or reset to some initial state if the system is switched off

simple example: a light, which is either on or off

complex example: electrical activation in a human brain while solving a problem

in computing states are usually discrete, with instantaneous transitions

HTTP is stateless

All HTTP requests are independent of preceding requests

Each HTTP response depends entirely on the information contained in the corresponding request

Advantage: allows a simple and efficient Web server implementation

Disadvantage: complex Web applications are rather difficult / complex

State management

Overcomes HTTP limitations

Allows Web clients and servers to maintain a relationship between requests

The period during which this relationship holds is called a session

Most Web applications that require you to log in use sessions and state management

E.g. Shopping cart applications use state management to hold a list of all items marked for purchase

Cookies are a component of state management.

Cookies are small pieces of text stored by the server on the local machine and sent with every request to that same server

The IETF RFC 2965 HTTP State Management Mechanism is the current cookie specification.

Typical request (from browser to server)

Headers contain information about supported formats and languages, and information about the content.

Once the request is sent, http closes the connection and "forgets" about it.

The server might keep a log of the transaction, but it does not use the logged info to track users.

Typical reply (from server to browser)

Cookies

Along with a reply, server sends some additional information in the header

The first name-value pair determines the name of the cookie and a special value, often used to identify the user.

The domain value determines what sites can access this cookie (usually only the site that issued it).

Other values determine when the cookie expires, which URLs require this cookies, etc.

Clients have the option of refusing cookies (meaning that they do not store them or do not submit them with requests).

Most browsers will refuse a cookie if it directs them to submit information to a third party (not the site that issued the cookie). You can usually configure this.

Cookies live on the client

For all page requests (in other words, every time you visit a web page), your browser (the client) compares the web page's URL to the cookies in the "cookie jar" and sends all the unexpired cookies that match the domain and path.

The total size of a cookie must be less than 4KB. In practice, it's usually only a few bytes.

The client may hold up to 20 cookies for a given domain, and up to 300 cookies total.

A request might carry more than one cookie.

Your browser can also add cookies to the cookie jar; it doesn't have to come from the server.

A schematic of cookie interaction

Using Javascript to customise the reply

The document returned by the server might have some JavaScript in it, and the JavaScript code can also look at the cookie file and customize things.

An example is a page that uses cookies to identify repeat visitors.

In this example, the server always returns the same page, whether it gets a cookie or not. In general, the server might do different things depending on the cookie.

The JavaScript on the page checks the cookies for this document, using the object document.cookie

If there's no cookie, we generate an ID for the new user and set a cookie. The ID is based on the timestamp of the connection and will be nearly random.

On subsequent visits, the user's ID is sent to the server in the cookie.

The server might use the ID to look up information in a database.

The database might contain information about previous visits, the pages this user has visited, any information this user has provided in the past.

If there is a cookie, the JavaScript generates a special greeting.

The example using Javascript

Legitimate uses of Cookies

Provide new user information once, or skip an introduction on subsequent visits. Here is an example using music.

Users can avoid typing information every time they revisit. For example, tvguide.com

A user_id allows the server to accumulate information during a visit; for example, a shopping cart.

Less Legitimate uses of Cookies

Serious questions about privacy and security

Is the convenience of the WWW worth giving up what you consider to be personal, private or sensitive information?

Violations of privacy: clickstream (possibly with embedded query information), DoubleClick, software configuration (OS and browser), contents of any JavaScript variable.

Sites track users, analyze access patterns (within their own sites).

A site can instruct your browser to provide information to a third party (many browsers refuse).

From the W3C Security FAC, some more information about cookies and their security risks

Privacy and Cookies

Cookies can, and often do, pose a privacy risk because they allow a variety of web sites and "spyware" programs to build a personal "profile" of who you are and what you do.

For example you might allow your favorite weather web site to store your postcode to a cookie so you can get the local forecast every morning without having to retype your postcode.

This seems fine since the weather web site doesn't know who you are.

But what you may not realize is that the weather web site may work with a network of other web sites to compile all your little pieces of information (like postcode) into a single, amazingly complete, demographic profile.

And this isn't just your name and address. It's your opinions (ever answered an online poll?), your purchases (ever bought anything online), and your web usage patterns.

The best way to avoid privacy issues is to make sure your computer is free of spyware, disable third-party cookies, and read the privacy statements of sites you use.

The best way to avoid privacy issues is to

make sure your computer is free of spyware,

disable third-party cookies, and

read the privacy statements of sites you use.