Cookie

The name of this small file that a website stores on the computer of each visitor, to put data ussable in a further return, comes from Magic Cookie on Unix that denotes packets of data that are passed between programs.
It may be called cookie or browser cookie, computer, tracking, Internet, Web, or HTTP cookie.

Its content is a list of name = value pairs. It is not intended to contain code executable on the client side, but it can be used to spy the users and misuse the data recorded, including to know web sites they visit.

The origin of the cookie is back to 1994 and the Netscape browser (Mosaic Netscape 0.9 of 13/Oct/1994). A standard specification for HTTP has been defined by the IETF in 1997 (see references below).

Anatomy of a cookie

The maximum size of a cookie is 4 kilobytes. The maximum number depends on the browser, it is 50 per domain for IE and Firefox. 300 in total on a computer.
Names are case-insensitive.
The lifetime may be limited to the session, a number of days or not to be limited. The browser may be set up to delete cookes at end of session, or block them entirely.
If a date is specified, the cookie is deleted on that date, otherwise it is cleared at the end of the session. The browser may postpone the expiration date at each visit.

They may be stored in several files (IE), a single text file (Firefox), or an encrypted file (Opera, Safari).

Information that is often placed in a cookie:

DART cookies of Double Click and Adsense allow advertisers to analyze the use of their advertisements. When you visit a site that displays these announcements, and other linked affiliates, the browser checks if the cookie exists and creates it if it is not found.

The user has control over Cookies

It is possible to configure the browser to prohibit the creation of cookies. But it has drawbacks, most services that require registration require the creation of a cookie that is used to pass data between programms. Worse yet, when they are disabled, most sites refuse registration without any explanation.

The preferred option is to accept cookies for the session only. You may also prohibit them except for sites whose the list is given. This would suggest to create an exception each time you wish to register on a new site.

Except older versions, browsers do not by default read cookies for another site that the site currently visited. You can however set it to accept third-party cookies. This is primarily used by advertisements sites.

One of the limitations to the webmaster, is that if the user uses different browsers, each with its own system of cookies is seen as a different user.

About Dart cookies, considering the large number of sites using these adverts, these cookies tend to reappear systematically. Double-Click offers a cookie to disable other tracking cookies.

Cookies and security

Even if cookies contain only data and if you forbid them to use third-party sites (which would allow a hacker site to retrieve authentication data for other sites), they are a source of insecurity.

Network hacking

It is possible for hackers to retrieve cookies through transfers over a network such as Wifi. The use of https protocol can prevent this risk. However this protocol must be used to create cookies and not just for other communications!

Malicious code

It is also possible by code embedded in Web pages to retrieve cookies from third-party sites even if the browser prohibited that.
Hackers can use JavaScript scripts in a page to retrieve data about users of the site.

It can be prevented by prohibiting the cross-site scripting, the ability to integrate scripts in URLs. To do this we add a control on the parameter of the scripts. For example:

$r = "^[\w]{1,40}$";
if (preg_match($r, $param) == 0) die("Hacking!");  

We check here that there is only alpha-numeric characters in the parameter. A post from Microsoft explain in detail how to prevent cross-scripting and defend your code.

Changing data sent

The use of a session identifier in place of data, prevents attacks by modifying the cookie sent by the server.
The data is stored on the server and associated with a session ID that is only stored on the user site.
This measure is suitable for sites fearing data manipulation such as sites that automatically handle orders and amounts to be paid.

Overall, the best protection for the user is using a recent browser. IE 6 in particular must be replaced.

Programming cookies

We create a cookie with a request to HTTP header. Cookies are created by the browser, a JavaScript program or a script on the server, PHP and others.

A cookie is a series of name = value separated by a comma. For example:

name = cookiename; expires=date; domain=. scriptol.fr; path=/;

path is the path relative to the site of the page to which the cookie is created.
expires is the expiration date that has the format: Monday, DD-MMM-YYYY HH: MM: SS GMT.

Sample date:

Tue 01-Jan-2009 12:40:10 GMT

Creating a cookie in PHP

setcookie ("name1", "value1", time () + 1200);

We pass one or several series each consisting of a name, an optional value, a timeout and other settings (see PHP manual). 
If the value is omitted, the name is removed from the list on the user's computer.

Displaying cookies in PHP

To view all the cookies:

print_r ($ _COOKIE);

To view the contents of the cookie whose name is x:

echo $_COOKIE["x"];

Creating a cookie in JavaScript

document.cookie="name"+"="+escape("value")+"";

You can chain name = value pairs separated by a semi-colon, and assign the entire chain.

Showing cookies in JavaScript

document.write(document.cookie);

Demonstration reading cookies in PHP and JavaScript.

In PHP:

Array ( [laikanxia_cookie_id] => 241222001242623 [laikanxia_google_v] => 1 [tudorwatch_lang] => he )

PHP source code:

<p>
<?php print_r($_COOKIE); ?>
</p>

In Javascript:

JavaScript source code:

<p>
<script type="text/javascript">
if(document.cookie == null)
{
document.write("No cookie<br>");
}
var str = String(document.cookie);
document.write(str + "<br>");
</script>
</p>