A cookie is a small piece of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information. It is sent as an HTTP header by a web server to a web browser and then sent back unchanged by the browser each time it accesses that server. A cookie can be used for authentication, session tracking, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing textual data.
As text, cookies are not executable So they do not qualify as spyware or viruses. Anti-spyware products may warn users about some cookies because cookies can be used to track people or violate privacy concerns. Most browsers allow users to decide whether to accept cookies, and the time frame to keep them, but rejecting cookies may make some websites unusable.
One of the most common uses for cookies is to track user login state. The mechanism is quite simple: you go to a page and sign in with a username and password. If the information is valid, a cookie is sent with the next response that uniquely identifies the user. Each page in the site checks for that cookie in order to establish login credentials. As long as the cookie remains intact, you are verified as the user who originally logged in. Most sites set these cookies as session cookies, to be deleted when the browser closes, as a security measure to prevent you from remaining logged in unintentionally. Many login forms also offer a "remember me" checkbox to change this to a persistent cookie at the user¡¯s request. Even then, most systems have a limit of one or two weeks to prevent runaway login credentials that may risk the security of the user.
The problem with this system is that it leaves a single data point for user identification. Further, cookies are sent in plain text over the Internet, making them vulnerable to packet sniffing whereby someone intercepts traffic between a computer and the Internet. Once the value of a user¡¯s login cookie is taken, it can be used to simulate the same session elsewhere by manually setting the cookie. The server can't tell the difference between the original cookie that was set and the duplicated one that was stolen through packet sniffing, so it acts as if the user had logged in. This type of attack is called session hijacking. There are a few ways to prevent session hijacking using cookies.
The first common technique is to only send cookies over SSL. Since SSL encrypts the request on the browser before transmitting across the Internet, packet sniffing alone can¡¯t be used to identify the cookie value. Banks and stores use this technique frequently since user sessions are typically short in duration.
Another technique is to generate a session key in some random fashion and/or a way that is based on information about the user such as username, IP address, time of login, etc. This makes it more difficult to reuse a session key.
Yet another technique is to re-validate the user before performing an activity deemed to be of a higher security level, such as transferring money or completing a purchase. For example, many sites require you to log in a second time before changing a password.
A cookie is a way to create a link between the user's session and ideally, it should contain a random chain, session identification, which is unique and difficult to decipher, and valid only for a given period of time. Only the server should be able to associate the user's preferences with the session identifier. Thus, when the session cookie expires, it becomes useless and should not contain any information relating to the user.
The cookie should never contain direct user information, and its lifespan should be as close as possible to the duration of the user's session.
