There are two common problems with logging into our site that involve cookies. The most common is that you have an older cookie that the site no longer recognizes because of a software upgrade or something. How to Remove Cookies shows you steps in removing cookies.
The other problem is less common: the site may be blocked from giving you a new cookie – your browser may have blocked future cookies when you deleted the older ones. To fix this, see How to Allow Cookies.
Q What are cookies?
A Cookies are small pieces of text (your browser usally stores them as files) which the server gives your browser that act as “tickets” for what ever you are doing on the website. Often, they provide some sort of identity; Microsoft based serves often uses a 128-bit random number (a GUID) for cookies, other servers may use any random item that can be your ticket. If you login to the server, it may save some login information such as your account ID and a random string that identifies your session.
The important thing to know is that your browser will only give a cookie back to the server that issued it. So, if you visit a website that has a shopping cart, you quite possibly have a cookie the server uses to track what you said you wanted to buy. But no other webserver will ever see that cookie.
Q What can a cookie do?
They themselves do nothing. Do not be concerned that cookie contains a virus or an evil program of some sort has been placed on your computer. The cookie is a text file. It is not executable and it can't run like a program.
A cookie is used a “tag” on your computer like they “tag” bears on those Saturday morning wildlife shows that play right before the football games. That “tag” holds information that the server wants to be reminded of when you return:
Please remember that the cookie denotes your computer, not you1). The server has no idea who you actually are unless you tell them by offering your name or e-mail address.
Q Where does the term “cookie” come from?
It's an older bit of programmer slang for a piece of data stored to communicate between two processes, typically separated in time, and often as some kind of tag. The fuller form is “magic cookie.” It was used as far back as the late '80s, at least. The term “magic cookie” was probably originally coined in reference to one of those old adventure games (perhaps “Adventure” itself) in which you had to give some character a magic cookie to get something from it (analogous to cookie verification), but that may be a technology myth.
A If you login to the webserver and check the “Remember me” option, we save a cookie that has your user name, IP and password encrypted into it. If you return to the website with the same browser from the same IP address, the server will automatically log you into the server.
Q What if I don't allow Cookies? Can I still use the website?
A Generally, yes. Like most websites, we simply use either “Session Variables” or “Session Cookies” – assuming you allow at least session cookies. The value of these two technologies is simple: when you close your browser, all the information is lost, permenantly. In most cases, it was never written to the disk at all.
Internet Explorere 7 has an interesting option here (This could be one of the few redeeming things about any IE version) in that it has an option to force ALL cookies to be session cookies regardless of the webserver's request. This should be transparent to the user and the server; cookies are permitted but are deleted when the browser closes. However, there is currently a bug in the implementation; if you open a second window and close either of the windows, ALL cookies will be deleted and all session information is lost to the remaining window. So, the feature that exists is all cookies are deleted when ANY Internet Explorer window is closed.
Q Are cookies a security concern for me?
A Probably not.
Q Can cookies be used for evil?
A Yes, they can. The most common “bad” cookie is a tracking cookie. They don't know who you are but they do know what you do online. Consider how Amazon is always advertising “People who bought X also bought Y” when they know you have also bought X. Tracking Cookies allow companies to say “People who shop on site X also tend to shop on site Y” which can influence things like where sites choose to advertise, what products they may add to their business, or even when to prevent specific advertisers because they are distracting customers away from your site.
But…!! We also said cookies aren't a security threat, right? Once you see that any request to a webserver can result in a cookie and, on any future request, that cookie can be returned to the server, then you can see the problem of banner ads and ”Web Bugs”.
Q Are cookies required for doing evil?
A Not at all. Your IP Address is currently a larger and faster growing concern because, unlike dial-up, broadband connections tend to have fixed IP addresses. This means advertisers need cookies less than before as your IP address is fixed and pretty much identifies you or your family. In fact, the latest trend in internet marketing is to trade data based on IP Addresses because IP addresses are like street adddresses, they have a geographic identity so that the advertising company can say “we have a user in a suburb of [pick a city] who has broadband and visits sites for these products more than once a week.”
They can also sell advertising to vendors based on the fact they know where you live. Have you noticed that you now get ads that say “Wouldn't you like to meet singles in [your city]?” This is IP address geography at work.
Another trend that most people are unaware of is the new ability to combine databases based on IP Addresses. When cookies were used, two companies couldn't say your customer 123456 is my customer xvRgTASmN … let's combine their data and our observations. Now they can say definitively these two homes are the same. In fact, they no longer seem to care if you are on dialup in most cases because your data still fits the statistical analysis for your community.
In general, cookies are anonymous and don't get shared across web servers to protect your privacy. These are good things.
The problem is how some people use graphics to “bug” your browser in the sense of listening for things you'd normally consider private:
Web Bugs are images (Gifs, Jpegs, PNGs, etc.) that companies and organizations put into web pages, e-mails and other HTML supporting documents to track information about the viewer. These images are sometimes known by other names such as tracking bugs, pixel tags, web beacons or clear gifs. What ever the name, their function is largely the same.
Under normal circumstances an organization would just look at their web logs to find the kind of information that a Web Bug might provide them. However, if the content the web bugger wishes to track is not hosted on their site, but instead its hosted from a third party’s server, then the web bugger can not obtain this information since they would not have access to the web server logs. By putting an image from one of their servers into an HTML E-mail or a third party’s webpage the Web Buggers can find the data they want about the contents viewer. Some of the interesting information items that can be obtained about the viewer are:
* IP Address
* Operating System
* Web browser type (IE, Mozilla, Opera, etc.)
* Date the image was viewed
* If cookies are used
* other sites visted
“Other sites visted” includes site(s) you were looking at before this page, also called the “referrer.”
Note: Because all Microsoft products use Internet Explorer to view HTML, it means a web bug embedded in anything has access to the cookies in IE! In your E-mail using both Outlook and Outlooke Express, Word Documents, web pages, Windows Explorer, … etc.
A web bug is just as effective as a banner at at gathering information about you, but it is more subtle because its not visible. Many people find this secretive approach more offensive than the ever-present ads for pornography sites simply because you don't know when you're being watched.
With Banner ads and Web Bugs, the more sites you visit the more they get to know what you like and the more they show you ads for things you're more likely to be interested in. Even if your identity is just a random number, the server can learn things about you. For example:
The advertising server for www.evil-example.com can now build a database saying user 123456 has visited [at least] two specific webpages and can keep count of how often and track your last visit. This means that, while it doesn't know who YOU are, it does know:
This data is why advertisers want their ads everywhere. Whether users click or not, they get data. So, when they get data 100% of the time, paying per-click is a pretty low rate. This is also a “dirty secret” about the banner advertisers; they really aren't too worried whether or not you click on the ads; the fact your browser asked for it makes them money anyway.
Target marketing is the motive:
Another violation of privacy has been observed: requests for Banner and Web Bugs may include identifying information about you which is then associated to the cookies on your computer. This allows the data about you across all the sites using that tracking GIF to build up quite a profile about where you go on the internet and what pages you see.
So, if you visit www.exploitivevendor.com and they send a page to you, then embed in the page a request for the GIF with extra data about who you are (it may simply be a customer number on their site – so still sort of anonymous). The site www.evil_banner_ads.com send the GIF, and adds your identifying info into your cookie or (worse?) into their database. Over time, other vendors add their tid-bits of ID to your information the same way.
Remember how cookies were tags for computers and not people? Well, if you access any of the participating vendors from another PC, site www.evil_banner_ads.com can connect the user at your home PC with the user of your handheld or laptop PC, or even when you are at your parent's home fixing their PC … no longer are any of these users really anonymous any more. This is where cookies go really bad. And its not the cookies fault.
Q Is there a way to stop all this advertising stuff from taking advantage of me?
A Yes, there are a number of ways depending on your system: