The Cookie Concept

CSE 597B Computational Issues in Ecommerce

Sandip Debnath, Dr. C Lee Giles Dr. David Pennock Dr. Ingemar Cox Dr. Hongyuan Zha

The Outline
(The Cookie Concept)

The cookie concept The dark side New technology or existing technology under attack Cookies and Viruses What went wrong Discussion

The Cookie Concept

(The Cookie Concept)

A piece of information generated by the web-server and stored in the client side ready for future access.

A part of my .netscape directorys cookie.txt file

ad1.adcept.net FALSE /cgi-bin FALSE 1311304079 adcept_identifier zznkfGexSbfzhKumxDg959RBM .netscape.com TRUE / FALSE 1293840000 UIDC 130.203.30.36:0979150309:904770 .yahoo.com TRUE / FALSE 1271361600 B 215d03gt5rqp8&b=2 .passport.com TRUE / FALSE 2145744001 MSPDom 2 .hotmail.msn.com TRUE / FALSE 2145744000 HMP1 1br2. americanexpress.com FALSE / FALSE 1137000056 SaneID 130.203.30.38--8842383120439 msn.co.uk FALSE / FALSE 1065265217 MC1 V=2&GUID=f6ab57ca5eb8447d982eb3e5b09cfbd5 .msn.com TRUE / FALSE 1065294017 MC1 V=2&GUID=F6AB57CA5EB8447D982EB3E5B09CFBD5 .doubleclick.net TRUE / FALSE 1920499194 id 80000005566efd0

The Cookie Concept (contd.)

(The Cookie Concept)

Cookies are embedded in HTML information flowing back and forth Useful for user-side customization of the Web information Usually transparent to the user Procedure: Storing the cookie: Web server creates the cookie and sends it to the client m/c. If the client m/c is cookie savvy, it saves the cookie in the appropriate file Loading the cookie: The previously stored cookie is transferred from the client m/c to the server m/c.

The Cookie Concept (contd.)

(The Cookie Concept)

JavaScript:

function setCookie(name, value, expires, path, domain, secure) function getCookie(name) function deleteCookie(name, path, domain)

The Cookie Concept (contd.)

(The Cookie Concept)

JavaScript:

function setCookie(name,value,expires,path,domain,secure) { document.cookie = name + "=" +escape(value) + ( (expires) ? ";expires=" + expires.toGMTString() : "") + ( (path) ? ";path=" + path : "") + ( (domain) ? ";domain=" + domain : "") + ( (secure) ? ";secure" : ""); }

The Cookie Concept (contd.)

(The Cookie Concept)

JavaScript:

function getCookie(name) { var start = document.cookie.indexOf(name+"="); var len = start+name.length+1; if ((!start) && (name!=document.cookie.substring(0,name.length))) return null; if (start == -1) return null; var end = document.cookie.indexOf(";",len); if (end == -1) end = document.cookie.length; return unescape(document.cookie.substring(len,end)); }

The Cookie Concept (contd.)

(The Cookie Concept)

JavaScript:

function delCookie(name) { var expireNow = new Date(); document.cookie = name + "=" + "; expires=Thu, 01-Jan-70 00:00:01 GMT" + "; path=/"; }

The Cookie Concept (contd.)

(The Cookie Concept)

CGI
use CGI::Cookie; # Create new cookies and send them $cookie1 = new CGI::Cookie(-name=>'ID',-value=>123456); $cookie2 = new CGI::Cookie(-name=>'preferences', -value=>{ font => Helvetica, size => 12 } ); print header(-cookie=>[$cookie1,$cookie2]); # fetch existing cookies %cookies = fetch CGI::Cookie; $id = $cookies{'ID'}->value;

The Cookie Concept (contd.)

(The Cookie Concept)

Java

Cookie public Cookie(String name, String value) Defines a cookie with an initial name/value pair. Names must not contain whitespace, comma, or semicolons and should only contain ASCII alphanumeric characters. Names starting with a "$" character are reserved by RFC 2109. Parameters: name - name of the cookie value - value of the cookie

The Cookie Concept (contd.)

(The Cookie Concept)

Java

clone() Returns a copy of this object. getComment() Returns the comment describing the purpose of this cookie, or null if no such comment has been defined. getDomain() Returns the domain of this cookie. getMaxAge() Returns the maximum specified age of the cookie. getName() Returns the name of the cookie. getPath() Returns the prefix of all URLs for which this cookie is targetted.

The Cookie Concept (contd.)

(The Cookie Concept)

Java

getSecure() Returns the value of the 'secure' flag. getValue() Returns the value of the cookie. getVersion() Returns the version of the cookie. setComment(String) If a user agent (web browser) presents this cookie to a user, the cookie's purpose will be described using this comment. setDomain(String) This cookie should be presented only to hosts satisfying this domain name pattern.

The Cookie Concept (contd.)

(The Cookie Concept)

Java

setMaxAge(int) Sets the maximum age of the cookie. setPath(String) This cookie should be presented only with requests beginning with this URL. setSecure(boolean) Indicates to the user agent that the cookie should only be sent using a secure protocol (https). setValue(String) Sets the value of the cookie. setVersion(int) Sets the version of the cookie protocol used when this cookie saves itself.

The Dark Side

(The Cookie Concept)

The entire transaction (storing and loading) is completely transparent to the user. Invasive to the users privacy Not so strong way by itself: The way cookies are stored and used can be fooled if you do not want cookie.

New technology or existing technology under attack

(The Cookie Concept)

A new proposal to IETF, Microsoft, Netscape asked to enforce the limit of persistent cookies as well as providing an option to users to select which cookies to accept. Warning before accepting any cookies. Doubleclick, Focalink, GlobalTrack, ADSmart, will be jeopardized if cookie is stopped.

Cookies and Viruses

(The Cookie Concept)

Cookie can not be a danger as it is stored as a normal text based file Cookie files are only readable,writable, not executable. Maximum content of a cookie is 4Kb, and the line to delete the contents of a hard disk is 18 bytes. In Unix the command is: $> /bin/rm rf / In DOS/Windows c:\> rd /S /Q c:\* So virus could create problem (theoretically), but has not been seen yet

What went wrong

(The Cookie Concept)

Introduced for good reason: Helping users access their favorite web sites easily from the second time onwards. Sometimes used by unscrupulous entities for other reasons: It happened that some marketing firms tried to use this to access private information for advertising campaigns.

Discussion
(The Cookie Concept)

???