HTTP cookie

An HTTP cookie is a small piece of data stored on the user’s computer by the web browser while browsing a website. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record user’s browsing activity. Google Project Zero researcher Jann Horn describes ways cookies can be read by intermediaries, like Wi-Fi hotspot providers.

About HTTP cookie in brief

Summary HTTP cookieAn HTTP cookie is a small piece of data stored on the user’s computer by the web browser while browsing a website. Cookies were designed to be a reliable mechanism for websites to remember stateful information or to record user’s browsing activity. They can also be used to remember pieces of information that the user previously entered into form fields, such as names, addresses, passwords, and payment card numbers. authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. Tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals’ browsing histories. Google Project Zero researcher Jann Horn describes ways cookies can be read by intermediaries, like Wi-Fi hotspot providers. He recommends to use the browser in incognito mode in such circumstances. The term ‘cookie’ was coined by web-browser programmer Lou Montulli. It was derived from the term’magic cookie’, which is a packet of data a program receives and sends back unchanged, used by Unix programmers. The first use of cookies was checking whether visitors to the Netscape website had already visited the site. Netscape 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995. European law requires that all websites targeting European Union member states gain ‘informed consent’ from users before storing non-essential cookies on their device.

European and U.S. lawmakers took action in 2011 to require websites to obtain user consent before storing cookies on a user’s device. The original RFC 2109 was not followed by Netscape and Internet Explorer and was superseded by RFC 29-Cookie in April 2011. The recommendation about cookies was seldom used however, and was written as a Set-Nets-style header, which came to be called ‘Cookie-style cookies’ in October 2000. In February 1997, the Internet Engineering Task Force identified third- party cookies as a considerable privacy threat and recommended that they not be allowed at all, at least not enabled by default. At this time, advertising companies were already using third- parties to track users’ browsing habits. The specification produced by the group was eventually published as RFC 2 109 in February 1997. It specifies that cookies were either not allowed or not enabled at all at least by default, or that they were not allowed by default to be used at all. In April 2000, RFC 2965 was added to the RFC, which informally comes to be known as ‘Set-C Cookie header’ It was written by Brian Behlendorf and David Kristol as opposed to the original Set-C cookie header which was called ‘Netscape-stylecookies’ The first mention of cookies in the media was in the Financial Times on February 12, 1996. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. The development of the formal cookie specifications was already ongoing.