Baking Biscuits - A Closer Look at Cookies

As well as being delicious biscuits, "Cookies" are an aspect of the computer world that is known to many people. However, very few people actually know exactly what the term means and how it functions. This is reason enough for us to examine this important and interesting topic in more detail and to explain a technological feature that forms an essential part of the Internet as we know it today.


A Cookie is a Cookie is a Cookie

Short and sharp: a cookie is a small snippet of information sent from a web server to a user's browser, which then stores it. On subsequent access to the same web server this server can then read back this information snippet and use it to "recognize" the user. Cookies are most often used to allow users on particular websites (e.g. forums) to remain permanently logged in, thus avoiding the constant irritating entry of username and password. However, anyone who purchases a flannel shirt in an online shop should not be surprised when they see targeted special offers for flannel shirts the next time they visit the website.


A Day in the Life of a Cookie

From a technical point of view, cookies are an extension of the "Hypertext Transfer Protocol" (HTTP). This protocol makes surfing possible by allowing the requested web page to be delivered from the relevant server to your computer and then displayed in your browser. HTTP is an example of a so-called "stateless" protocol, meaning that the web server does not "remember" who has requested a web page because the data link may be closed as soon as the web page has been delivered. This means that when several pages on a website are clicked one after the other, the server does not know that the same user sent these requests, it simply responds to each request in turn.

Cookies are sent in the so-called "HTTP Header" of the data transfer and are then stored internally in the browser. Cookies consist of a string of characters, with a maximum size of 4 KB, which cannot contain executable code. A cookie contains information such as the requested URL, the expiry date of the cookie and appropriate user-specific content. Does this sound complicated? - This is less complicated than it sounds and the user usually has no idea that this is happening. At first glance one might think that it would be much simpler to allow the visited web pages to just store information directly on the hard drive of the local computer, but nobody would voluntarily allow free access to their hard drive to any and all sites in the Internet. This is a good thing; otherwise we as a Security Software provider would have even more work to do.


A Closer Look at Cookies

Remaining at a technical level for the moment, a distinction exists between "persistent" and "session" cookies. While persistent cookies remain valid for a specific period of time specified by the web server (e.g. allowing a forum user to remain logged in for up to two weeks after the last visit), session cookies become invalid as soon as the current session ends, which usually occurs when the browser is closed. A typical scenario is the reading and writing of emails using one of the many web mail providers. As long as requests to the server occur within a particular time interval (e.g. five minutes), the user remains logged in and can continue to read emails and surf around the email web pages. This is naturally very useful to you as a user because if you had to enter your access information after every click the web mailers would not be as popular as they currently are. Another good example for the use of session cookies can be found in the area of online banking. Three transfers and thus entry of your access data three times? - Fortunately this is not necessary.


The Dark Side of Cookies

We would not occupy ourselves with the topic of cookies if there were not a dark side in contrast to the positive uses. Data security is an important topic in the present day. In most countries in the world the right to privacy is embedded in basic legislation. If you now receive special offers in an online shop for products that you find interesting (e.g. the flannel shirts mentioned previously) then this may be convenient for you. However, if you think one step further, this also means that a user profile about you could also be created. This is naturally not only the case with online shops but theoretically also with all other websites. Depending on the website, if you provide your proper name and possibly also your date of birth and address when registering, you should not be surprised when masses of personalized advertising material suddenly begin to appear in both your virtual and physical mailboxes. We should not ignore the fact that serious websites always provide a data privacy declaration, which guarantees that stored information is not misused or passed on to any other party. However, black sheep - or in this case "black cookies" - exist everywhere in real life and thus also in the Internet.


Convenience Versus Risk

First the good news: cookies do not yet represent a security threat, at least up to now. However, you should make a conscious personal decision as to whether you wish to allow the collection and categorization of your personal data. The data privacy alarm bells may ring with some people and others may say "who cares".

Even if you take the mentioned risks seriously, this does not mean that you must configure your browser to completely disable the use of cookies. After all, cookies offer a very convenient service and without them some web services would not be possible. As usual, it all boils down to how you use them. From a configuration point of view, it is a good idea to always manually confirm cookies before they are allowed to be stored. This causes more browser popup dialogs but you can usually select the websites for which you wish to allow cookies - e.g. to remain logged into the "Fans of Flannel Shirts" forum. In any case, you should always (automatically) refuse "Third Party Cookies", i.e. cookies from another website requested via an embedded advertising banner, because these usually have no benefit to you as a user and are only used for data gathering purposes.

Whatever approach you take, regular scans using the a-squared Anti-Malware or the a-squared Web Malware Scanner are recommended. Both variants can recognize and remove cookies used for data gathering purposes. If you have ever wondered about "Tracking Cookies" that show up in the scan results... Yes, these are cookies from the dark side. ;-)