An HTTP cookie is a small piece data. This data is sent by a web server when a user loads a page and then sent back unchanged to the server every time the user accesses the server. The purpose of this is to allow the server to identify the individual users requesting web pages from the server.
Cookies were invented to allow web servers to track and maintain information about the contents of users’ electronic shopping carts. Cookies allowed the server to uniquely identify which user was adding or removing items from a shopping cart and thereby to keep track of individual shopping carts. Without cookies, each interaction with the web server had to be treated as a separate event, and there was no obvious or accurate connection to a user’s previous actions.
Today, cookies are also used to keep track of user site preferences and user behavior across multiple websites. The latter is used primarily for advertising and involves tracking the user across multiple websites and thereby targeting ads to the user. Even when a user visits different websites served by different web servers, there may be ads on such websites which are served from one server. This way, the server providing the ads will be able to track the user.
A cookie can contain any (small) amount of data and will most often contain a string randomly generated by the server. There is thus no personal information stored in the cookie itself. The server may however store personal information and user preferences if the user types these in on the website. The cookie then allows the server to associate the information stored in the server with the user, when the user visits the website and the cookie is sent by the browser to the server.
Most browsers allow the user to decide if he or she will accept a cookie from a web server. If the user declines, this disables the functionality on the website utilizing cookies. If a website has implemented an electronic shopping cart using cookies, it will thus not be possible for the user to make a purchase without accepting the cookie.
Cookies may have an expiration date in which case the browser will not send the cookie to the server after expiration. Some cookies are defined as non persistent, in which case they are deleted when the browser is closed. Also, users may manually delete all or selected cookies.
While the data in the cookie itself is not personal and a server can only acquire personal information if the user explicitly discloses it, cookies are seen as a cause for concern over data privacy. The main reason for this is the tracking of user behavior over multiple websites. For this reason, cookies have been subject to legislation in , and other countries.
There are other areas of concern. If multiple users use the same computer, user profile and browser they will appear as one user to the web server. Also, cookies may be stolen, tampered with or an attacker may listen to the connection between a server and user and thereby snoop the cookie.
There are alternatives to using cookies each with their own drawbacks. One alternative involves tracking the user by the IP address from which the server receives the request for a webpage. This is inaccurate as multiple users may share the same IP address or proxy server. Other alternatives include HTTP authentication and embedding of information into URLs.
In this article we described what cookies are and what they may be used for. We have seen why they are a cause for concern over data privacy and we have touched on the subject of alternatives.