Cookies

1
Cookies

• Prof. Sheizaf Rafaeli
• Electronic commerce

2
C is for Cookie
Now what starts with the letter C? Cookie starts
with C Let's think of other things That starts
with C Oh, who cares about the other things? C
is for cookie, that's good enough for me C is
for cookie, that's good enough for me C is for
cookie, that's good enough for me Oh, cookie,
cookie, cookie starts with C
3
Advantages of maintaining state

• Shopping cart applications
• Customizing and personalizing content
• Tracking navigation patterns
• Creating subscriber status
• Remembering pesky passwords
• Rewarding frequent or return visits
• Changing banners and bookmarks
• Games remembering scores, high scores, skill
  levels

4
Maintaining state

• Stored in cookies
• Encoded in URL links
• Sent in hidden form variables
• Stored in variables in other (hidden) frames
• Stored on the web server (least desirable)

5
Cookies

• Magic cookies Persistent client state HTTP
  cookies
• A cookie is a small amount of information that a
  Web site sends to your browser. When your browser
  receives a cookie, it saves the cookie on your
  hard drive for future use
• When you re-visit a site, your browser checks for
  any pre-defined preferences (cookies) for that
  particular site.

6
Cookies

• Enable storing information on the clients
  browser for later retrieval
• Most powerful technique for maintaining state
  within a web site

7
Web sites use cookies in many different ways.

• Sites can accurately determine how many people
  actually visit the site. It turns out that
  because of proxy servers, caching, concentrators
  and so on, the only way for a site to accurately
  count visitors is to set a cookie with a unique
  ID for each visitor. Using cookies, sites can
  determine
• How many visitors arrive
• How many are new vs. repeat visitors
• How often a visitor has visited
• The first time a visitor arrives, the site
  creates a new ID in the database and sends the ID
  as a cookie. The next time the user comes back,
  the site can increment a counter associated with
  that ID in the database.
• Sites can store user preferences (often referred
  to as customization).
• E-commerce sites can implement things like
  shopping carts and "quick checkout" options. It
  would be impossible to implement a convenient
  shopping mechanism without cookies or something
  like them.

TRY THIS http//computer.howstuffworks.com/histor
y.php
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
Are YOU a voyeur?

• Visit
• http//www.metaspy.com (choose red)
• http//voyeur.mckinley.com/cgi-bin/voyeur.cgi
• http//aj.com
• Was it interesting?

14
Problems, Constraints and Disadvantages (real)

• Cookie may not be persistent
• May be deleted by accident or on purpose
• may be disallowed or frozen
• Browser may impose limitations, distorting the
  information
• Unencrypted, may give away secrets
• Made to sound scary (see myths)

15
Where are cookies stored?

• By Netscape, as cookies.txt on Windows machines
  or as MagicCookies (on Macs)
• By Explorer in special directory named
  Windows/Cookies
• By other browsers - wherever they wish

16
Cookie Myths

• The biggest problem seems psychological
• Big brother violating privacy?
• Cookies seldom used for this purpose
• Cookies cannot be used to get data from your hard
  drive, your email address or sensitive
  information about your person
• HOWEVER look at http//www.doubleclick.com
• delivering targeted REAL TIME marketing

17
WebBugs(doubleclicks secret)
A hidden active link ltimg srchttp//bug.com/1pi
x.gif width1height1gt lt/imggt
http//mysite.com
http//yoursite.com
18
Cookie Myths (2)

• Early implementations of Java and JavaScript did
  allow awful things but for the most part these
  security leaks have been plugged.
• Software limits total size of cookie file
• less than 1.2 MB
• no more than 80 KB per each web site
• each site can only access its own

19
Cookie Myths (3)

• A site can only access a cookie that has been set
  from its own domain, It cannot access any other
  cookies from your computer.

20
Morally Permissible CookiesCollection of
Personal Information

• Customer preferences
• Online shopping

Mr. Smith
21
Immoral Uses of CookiesCentralization of
Personal Information
In order to measure our browsing behavior, target
marketers track us over the Internet by adding
cookies to the advertisement banners on so many
Web pages. Is such a use of cookies ethical?
Does it fit within a reasonable expectation of
privacy on the Web?
22
Still How do I stopem? (1)

• Use the anonymizer service, at
• http//www.anonymizer.com/
• Use Cookie Centrals cookie web kit, at
  http//www.cookiecentral.com

23
Still How do I stopem? (2)

• Use Cookie Crusher, at
• http//www.thelimitsoft.com/cookie.html
• Disable cookies.
• On Explorer use View-Internet options-Advanced
• On Netscape Network - Preferences - Protocol
  menu
• delete cookies.txt (or magicCookies on Mac),
  replace with system, hidden, read-only, write
  protected, zero length file
• Use Junkbuster, at http//www.junkbuster.com

24
Netscapes original cookie specs

• Netscape is the inventor of cookies.
• The original specs are available at
• http//www.netscape.com/newsref/std/cookie_spec.ht
  ml

25
Using Cookies

• Cookies are stored in namevalue pairs
• The main functions necessary are
• Getcookie
• SetCookie
• ClearCookie
• Cookies save expire, path, domain and
  secure parameters.

26
See example

• See example in cookie.favorites.html, at
• http//www.umich.edu/cisdept/Grad/CIS742/cookies.
  favorites.html
• This program makes use of three different
  cookies
• ViewAll toggles between different displays
• ShowOptions allow setting the page up and viewing
  in different mode

27
GetCookie function
//------------------------------------------------
--------------- // GetCookie - Returns the value
of the specified cookie or null // if
the cookie doesn't exist //-----------------------
---------------------------------------- function
GetCookie(name) var result null var
myCookie " " document.cookie "" var
searchName " " name "" var
startOfCookie myCookie.indexOf(searchName)
var endOfCookie if (startOfCookie ! -1)
startOfCookie searchName.length // skip past
cookie name endOfCookie myCookie.indexOf(""
, startOfCookie) result unescape(myCookie.s
ubstring(startOfCookie,
endOfCookie))
return result //-------------------------------
--------------------------------
28
Set Cookie function
//------------------------------------------------
--------------- // SetCookie - Adds or replaces a
cookie. Use null for parameters //
that you don't care about //----------------------
----------------------------------------- function
SetCookie(name, value, expires, path, domain,
secure) var expString ((expires null)
? "" (" expires"
expires.toGMTString())) var pathString ((path
null) ? "" (" path" path)) var
domainString ((domain null)
? "" (" domain" domain)) var
secureString ((secure true) ? " secure"
"") document.cookie name ""
escape(value) expString
pathString domainString
secureString
29
Clear Cookie function
//------------------------------------------------
--------------- // ClearCookie - Removes a
cookie by setting an expiration date //
three days in the past //--------------------
------------------------------------------- functi
on ClearCookie(name) var ThreeDays 3 24
60 60 1000 var expDate new Date()
expDate.setTime (expDate.getTime() - ThreeDays)
document.cookie name "ImOutOfHere
expires" expDate.toGMTString(
)
30
Future of cookies

• The Internet Engineering Task Force (IETF)
  committee (HTTP Working Group)
• Trust Mechanisms and Proposed HTTP State
  Management Mechanism.
• http//www.ietf.cnri.reston.va.us/html.charters/ht
  tp-charter.html
• Draft specs resemble Netscapes but more
  conservative

31
The DoubleClick ControversyProfiling
32
DoubleClick

• Personal data sent to DoubleClick servers
  includes
• My Email address
• My full name
• My mailing address (street, city, state, and Zip
  code)
• My phone number
• Transactional data sent to DoubleClick includes
• Names of VHS movies I am interested in buying
• Details of a plane trip
• Search phrases used at search engines
• Health conditions

See Richard Smiths http//users.rcn.com/rms2000/
privacy/
33
Double Click

• AltaVista Yellow Pages -- Complete home address
  (Fixed January 2000)Banner ad URL
  http//live.av.com/scripts/search.dll?ep7gcaadd
  ressorderbydistancesstreet172masonterrscity
  brooklinesstateMAszip02446scountryUSAquery
  sinsaqnamesicckuserid130782922userpw.u
  h130782922,0,ccitybrooklinecstateMAverhb1.2
  .2Referring URL http//ad.doubleclick.net/ad/my.
  av.com/findanythingsz468x60ord8089440000
• RealNetworks -- Registration information (Fixed
  December 1999)Banner ad URL http//ad.doubleclic
  k.net/ad/real.networks/bannersectdownloadsz468
  x60ord4296?Referring URL http//proforma.real.
  com/real/player/player.html?RApromolanguageEngl
  ishs1dc161514src000103realhome2Cnav2C99122
  8choicefirst_nameRichardlast_nameSmithemails
  miths_at_tiac.netcountryUSproductplatformWindow
  s98speedPentiumconnection256kbpsxDSL2FCabl
  eicesYes

34
Double Click

• AltaVista -- Search stringBanner ad URL
  http//ad.doubleclick.net/adi/altavista.digital.co
  m/result_frontkwsportscarscatstextord203730
  346Referring URL http//www.altavista.com/cgi-bi
  n/query?pgqsconhlonqsportscarsklXXstype
  stextsearch.x39search.y11
• Travelocity -- Plane trip informationBanner ad
  URL http//ad.doubleclick.net/ad/travelocity.TRAV
  ELOCITY.com/aircairlineorigBOSdestLASReferrin
  g URL http//dps1.travelocity.com80/lognguest.ct
  l?SEQ950480201958005
• Buy.com -- Movie titleBanner ad URL
  http//ad.doubleclick.net/ad/buy.videos.sm/videos-
  searchkwenemyofthestatecatvideos-searchsz
  120x90title1num123456?Referring URL
  http//www.buy.com/videos/searchresults.asp?search
  type1format1quenemyofthestate
• drkoop.com -- Health condition informationBanner
  ad URL http//ad.doubleclick.net/ad/dr.koop.dart/
  diabetessz120x60ord870204?Referring URL
  http//www.drkoop.com/conditions/diabetes/
• Amazon/Internet Moive Database (IMDb) -- Movie
  SKUBanner ad URL http//ad.doubleclick.net/ad/ww
  w.imdb.com/TitlepTitlesz468x60kw76759gSci
  gActgAdvord145171Referring URL
  http//us.imdb.com/Title?0076759

35
Double Click

• HealthCentral -- Email addressBanner ad URL
  http//ad.doubleclick.net/adi/www.healthcentral.co
  m/newsletters/maincathealthcathealthord13065
  Referring URL http//www.healthcentral.com/newsl
  etters/newsletters.cfm?primaryemailsmiths_at_tiac.ne
  tNewsLetterTypeSpecificSubscriptionDr.DeanDi
  gestx37y12
• Amazon/Internet Moive Database (IMDb) --
  BirthdayBanner ad URL http//ad.doubleclick.net/
  ad/www.imdb.com/OnThisDaypOnThisDaysz468x60or
  d142577Referring URL http//us.imdb.com/OnThisD
  ay?day28monthNovember
• Travelocity -- Email addressBanner ad URL
  http//m.doubleclick.net/viewad/59705-295964option
  s_old.gifReferring URL http//dps1.travelocity.c
  om/promoptout.ctl?emailsmiths_at_TIAC.NET

36
Doubleclick, 24/7, Link Exchange, Engage

• Hundreds of publishers and dozens of networks
• DART-- direct ad serving technology, Closed loop,
  Local, international, boomerang
• can break profiles down into as many as 800
  different interest categories.
• Merging with other databases?
• Stalking suit?

37
More cookie information

• Andys Cookie pages, at
• http//www.illuminatus.com/cookie.fcgi
• Cookie Central
• http//www.cookiecentral.com
• Alternative browsers support for cookies, at
• http//www.research.digital.com/nsl/formtest/stats
  -by-test/NetscapeCookie.html

38
And even more...

• http//www.cnet.com/Content/Voices/Barr/042996/ind
  ex.htmlTheTruth about cookies (from CNet).
• http//www.jasmin.com/cook0696.htmlJasminMaking
  it Personal with Cookies
• http//www.emf.net/mal/cookiesinfo.htmlMalcolm's
  Guide to Persistent Cookies resources
• http//www.cam.org/githerr/privacy.htmPrivacy
  and protection on the Internet
• http//www.anonymizer.com/Anonymous Surfing

39
More resources

• See Junkbustershttp//www.junkbusters.com/ht/en/
  ijbfaq.html
• Privacy Foundationhttp//www.privacyfoundation.or
  g/index.cfm