Cookie concept

A cookie is a small piece of information sent by a website and stored in the user's browser, so that the website can check the user's previous activity.

Its main functions are:

Take control of users: When a user enters their username and password, a cookie is stored so that they do not have to be entered for each page of the server. However, a cookie does not only identify a person, but a combination of computer-browser-user.
Get information about the user's browsing habits, spyware attempts (spyware), advertising agencies and others. This can cause privacy issues and is one of the reasons why cookies have their detractors.
Cookies can be deleted, accepted or blocked as you wish, for this you should only conveniently configure the web browser.

Purpose

Cookies are usually used by web servers to differentiate users and to act differently depending on them.

A use of cookies is to identify yourself on a website. Users are usually identified by entering their credentials on a validation page; Cookies allow the server to know that the user is already validated, and therefore can be allowed to access services or perform operations that are restricted to unidentified users.

Other websites use cookies to customize their appearance according to the user's preferences. Sites that require identification often offer this feature, although it is also present in others that do not require it. Personalization includes both presentation and functionality.

Cookies are also used to track users along a website. Tracking on a single site is usually done with the intention of maintaining usage statistics, while cross-site tracking typically targets the creation of anonymous user profiles by advertising companies, which will then be used to target campaigns (Decide what type of advertising to use) based on user profiles.

Myths

Since their introduction on the Internet have circulated misconceptions about cookies. In 2005 Jupiter Research published the results of a study, according to which a significant percentage of respondents believed certain of the following statements:

• Cookies are similar to worms and viruses in that they can erase data from users' hard drives.
• Cookies are a type of spyware because they can read personal information stored on users' computers.
• Cookies generate popups.
• Cookies are used to generate spam.
• Cookies are only used for advertising purposes.

In fact, cookies are data only, not code, then can not delete or read information from users' computers. However, cookies allow you to detect pages visited by a user on a particular site or set of sites. This information can be collected in a user profile. These profiles are usually anonymous, ie do not contain personal information of the user (name, address, etc.). In fact, they can not contain it unless the user has communicated it to one of the sites visited. But anonymously, these profiles have been the subject of some privacy concerns. 

According to the same report, a large percentage of Internet users do not know how to delete cookies.

Configuration

Most modern browsers support cookies. However, a user can usually choose whether cookies should be used or not. 


The browser may also include the ability to better specify which cookies have to be accepted and which ones do not. Specifically, the user can normally accept one of the following options: to reject the cookies of certain domains; Refuse cookies from third parties; Accept cookies as non-persistent (removed when browser closes); Allow the server to create cookies for a different domain. In addition, browsers can also allow users to view and delete cookies individually.

Privacy

Cookies have important implications for the privacy and anonymity of web users. Although cookies are only sent to the server that defined them or to another server in the same domain, a web page may contain images and other components stored on servers in other domains. The cookies that are created during requests for these components are called third-party cookies. 

Advertising companies use third-party cookies to track users across multiple sites. In particular, an advertising company can follow a user through all the pages where they have placed advertising images or web bugs. The knowledge of the pages visited by a user allows these companies to direct their advertising according to the supposed preferences of the user. 

The possibility of creating a user profile has been considered as a potential threat to privacy, even when tracking is limited to a single domain, but especially when it is through multiple domains through the use of third party cookies. For this reason, some countries have legislation on cookies. 

The European Union Directive 2002 on Privacy in Telecommunications contains rules on the use of cookies. Specifically, Article 5, paragraph 3 states that the storage of data (such as cookies) on a user's computer can only be done if:

The user receives information on how these data are used;
The user has the possibility to reject this operation.

However, this article also states that storing data that is necessary for technical reasons is allowed as an exception.

Disadvantages

In addition to the privacy concerns already mentioned, there are other reasons why the use of cookies has received some opposition: they do not always correctly identify users, and can be used for security attacks.

Inaccurate identification

If you use more than one browser on a computer, they each have their own cookie storage. Therefore, cookies do not identify a person, but a combination of user account, computer and browser. In this way, anyone who uses multiple accounts, multiple computers, or multiple browsers, also has multiple sets of cookies. 

In the same way, cookies do not differentiate between several people who use the same computer or browser, if they do not use different user accounts.

Cookie Theft

During normal operation, cookies are sent in both directions between the server (or group of servers in the same domain) and the computer of the user who is browsing. Since cookies may contain sensitive information (username, a token used as authentication, etc.), their values ​​should not be accessible from other computers. However, cookies sent over regular HTTP sessions are visible to all users who can listen on the network using a packet sniffer. These cookies should therefore not contain sensitive information. This problem can be solved by using https, which invokes transport layer security to encrypt the connection. 

Cross-site scripting allows the value of cookies to be sent to servers that would not normally receive such information. Modern browsers allow the execution of code segments received from the server. If cookies are accessible during execution, their value may be communicated in some way to servers that should not access them. The process that allows an unauthorized party to receive a cookie is called cookie theft, and encryption does not serve against this type of attack. 

This possibility is usually exploited by site attackers who allow users to send HTML content. By introducing an appropriate code segment into an HTML send, an attacker can receive cookies from other users. The knowledge of these cookies can then be exploited by connecting to the sites where stolen cookies are used, thus being identified as the user to whom the cookies were stolen.

Counterfeit cookies

Although cookies must be stored and sent back to the server without modification, an attacker could modify the value of cookies before returning them. If, for example, a cookie contains the total value of a user's purchase on a website, by changing that value the server could allow the attacker to pay less than he owes for his purchase. The process of changing the value of cookies is called a forgery of cookies and is often done after a theft of cookies to make a persistent attack. 

However, most websites only store in the cookie a session identifier - a unique number used to identify the user's session - and the rest of the information is stored on the server itself. In this case, the problem of the forgery of cookies is practically eliminated.

Cross-site cooking

Each site must have its own cookies, so that a site malo.net has no possibility to modify or define cookies from another site as good.net. Cross-site cooking vulnerabilities in browsers allow malicious sites to break this rule. This is similar to the forgery of cookies, but the attacker takes advantage of non-malicious users with vulnerable browsers, instead of attacking the website directly. The purpose of these attacks may be to perform a session fixation (session theft on a website). 


Data extracted from Wikipedia