A cookie (or cookie) is a small information sent by a website and stored in the user's browser, so that the website can consult the user's previous activity.
Its main functions are:
- Take control of users: When a user enters their user name and password, a cookie is stored so that it does not have to be them for each page of the server. However, a cookie does not identify only one person, but a combination of computer-browser-user.
- Get information about the user's browsing habits, and attempts of spyware, by advertising agencies and others. This can cause privacy issues and is one of the reasons why cookies have their opponents.
Cookies can be deleted, accepted or blocked as desired, for this you should only conveniently configure the Web browser.
Cookies are usually used by Web servers to differentiate users and to act in different ways depending on them.
Cookies are also used to track users along a Web site. Monitoring in the same site is usually done with the intention of maintaining usage statistics, while the cross-site tracking is usually aimed at creating anonymous user profiles by advertising companies, which are then They will use to guide advertising campaigns (deciding what type of advertising to use) based on user profiles.
Since its introduction on the Internet have circulated misconceptions about cookies. In 2005 Jupiter Research published the results of a study, according to which a significant percentage of respondents believed some of the following statements:
- Cookies are similar to worms and viruses that can erase data from users ' hard disks.
- Cookies are a type of spyware because they can read personal information stored on the user's computer.
- Cookies generate popups.
- Cookies are used to generate spam.
- Cookies are only used for advertising purposes.
Actually, cookies are just data, not code, then they can't delete or read user computer information. However, cookies allow you to detect the pages visited by a user in a particular site or set of sites. This information can be collected in a user profile. These profiles are usually anonymous, i.e. they do not contain personal information of the user (name, address, etc). In fact, they cannot contain it unless the user has communicated it to one of the sites visited. But although anonymous, these profiles have been the subject of some privacy concerns.
According to the same report, a large percentage of Internet users do not know how to delete cookies.
Most modern browsers support cookies. However, a user can usually choose whether the cookies should be used or not.
The browser can also include the ability to better specify which cookies have to be accepted and which ones are not. In particular, the user can normally accept one of the following options: Reject cookies in certain domains; Reject third party cookies; Accepting cookies as non-persistent (deleted when the browser is closed); Allow the server to create cookies for a different domain. In addition, browsers can also allow users to view and delete cookies individually.
Cookies have important implications for the privacy and anonymity of web users. Although cookies are only sent to the server that defined them or to another in the same domain, a Web page may contain images and other components stored on servers in other domains. Cookies created during requests for these components are called third-party cookies.
Advertising companies use third-party cookies to track users across multiple sites. In particular, an advertising company can follow a user through all the pages where it has placed advertising images or web bugs. The knowledge of the pages visited by a user allows these companies to direct their publicity according to the supposed preferences of the user.
The ability to create a user profile has been considered a potential threat to privacy, even when tracking is limited to a single domain, but especially when it is across multiple domains through the use of third-party cookies. For that reason, some countries have cookie legislation.
- The user receives information on how that data is used;
- The user has the possibility of rejecting that operation.
However, this article also establishes that storing data that is necessary for technical reasons is permitted as an exception.
If you use more than one browser on a computer, each one has its own cookie storage. Therefore, cookies do not identify a person, but a combination of user account, computer, and browser. In this way, anyone who uses multiple accounts, multiple computers, or multiple browsers, also has multiple cookie sets.
In the same way, cookies do not differentiate between several people who use the same computer or browser, if they do not use different user accounts.
Cross-site scripting allows the value of cookies to be sent to servers that would not normally receive that information. Modern browsers allow the execution of code segments received from the server. If cookies are accessible during execution, their value can be communicated in some way to servers that should not access them. The process that allows an unauthorized party to receive a cookie is called Cookie theft, and encryption does not work against this type of attack. </p>
This possibility is normally exploited by site attackers that allow users to send HTML content. By entering an appropriate code segment in an HTML submission, an attacker can receive cookies from other users. The knowledge of these cookies can then be exploited through the connection to the sites where the stolen cookies are used, being identified as the user to whom the cookies were stolen.
Although cookies must be stored and sent back to the unchanged server, an attacker may modify the value of the cookies before returning them. If, for example, a cookie contains the total value of a user's purchase on a Web site, changing that value the server could allow the attacker to pay less than due for his purchase. The process of modifying cookie value is called Cookie spoofing and is often done after a cookie theft to make a persistent attack.
However, most Web sites only store a session identifier — a unique number used to identify the user session — and the rest of the information is stored on the server itself. In this case, the problem of cookie forgery is virtually eliminated.
Cross Site Cooking Cookies
Each site must have its own cookies, so that a malo.net site is not able to modify or define cookies from another site such as Bueno.net. Cross-site cooking (cookie-between-site) vulnerabilities in browsers allow malicious sites to break this rule. This is similar to cookie spoofing, but the attacker takes advantage of non-malicious users with vulnerable browsers, rather than attacking the Web site directly. The purpose of these attacks may be to perform a session-setting (session theft on a website).
Data extracted from Wikipedia