HTTP cookie -wiki

8 Cookie __ and __ hijacking __ Network __ 8.2 __ false __ : DNS __ poisoning __ Cross-site __ : cookie __ 8.4 __ scripting: __ request __ Cross-site __ forgery __ Drawbacks __ cookies __ Inaccurate __ 9.2 __ state __ client __ server __ Alternatives __ cookies __ JSON __ Tokens __ HTTP __ 10.3 __ address __ URL __ string) __ Hidden __ fields __ "window.name" __ property __ Identifier __ advertisers __ ETag __ Web __ 10.10 __ cache __ Browser __ 11 __ also __ References __ External __

8 Cookie theft and session hijacking 8.1 Network eavesdropping 8.2 Publishing false sub-domain: DNS cache poisoning 8.3 Cross-site scripting: cookie theft 8.4 Cross-site scripting: proxy request 8.5 Cross-site request forgery 9 Drawbacks of cookies 9.1 Inaccurate identification 9.2 Inconsistent state on client and server 10 Alternatives to cookies 10.1 JSON Web Tokens 10.2 HTTP authentication 10.3 IP address 10.4 URL (query string) 10.5 Hidden form fields 10.6 "window.name" DOM property 10.7 Identifier for advertisers 10.8 ETag 10.9 Web storage 10.10 Browser cache 10.11 Browser fingerprint 11 See also 12 References 13 External links

__ HTTP __ (also __ web __ , Internet __ , browser __ , or __ cookie) __ a __ piece __ data __ from __ website __ stored __ the __ computer __ the __ web __ while __ user __ browsing. __ were __ to __ a __ mechanism __ websites __ remember __ information __ as __ added __ the __ cart __ an __ store) __ to __ the __ browsing __ (including __ particular __ , logging __ , or __ which __ were __ in __ past). __ can __ be __ to __ arbitrary __ of __ that __ user __ entered __ form __ such __ names, __ , passwords, __ credit __ numbers.

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

__ Origin __ the __ The __ "cookie" __ coined __ web __ programmer __ Montulli. __ was __ from __ term __ cookie", __ is __ packet __ data __ program __ and __ back __ , used __ Unix __ ]

Background Origin of the name The term "cookie" was coined by web browser programmer Lou Montulli. It was derived from the term "magic cookie", which is a packet of data a program receives and sends back unchanged, used by Unix programmers.[6][7]

__ 1 __ 1.1 __ of __ name __ History __ Terminology __ Session __ 2.2 __ cookie __ Secure __ 2.4 __ cookie __ Same-site __ 2.6 __ cookie __ Supercookie __ Other __ 2.8 __ cookie __ Structure __ Uses __ Session __ 4.2 __ 4.3 __ 5 __ 5.1 __ a __ 5.2 __ attributes __ Domain __ path __ Expires __ Max-Age __ Secure __ HttpOnly __ Browser __ 7 __ and __ cookies __ EU __ directive

Contents 1 Background 1.1 Origin of the name 1.2 History 2 Terminology 2.1 Session cookie 2.2 Persistent cookie 2.3 Secure cookie 2.4 Http-only cookie 2.5 Same-site cookie 2.6 Third-party cookie 2.7 Supercookie 2.7.1 Other uses 2.8 Zombie cookie 3 Structure 4 Uses 4.1 Session management 4.2 Personalization 4.3 Tracking 5 Implementation 5.1 Setting a cookie 5.2 Cookie attributes 5.2.1 Domain and path 5.2.2 Expires and Max-Age 5.2.3 Secure and HttpOnly 6 Browser settings 7 Privacy and third-party cookies 7.1 EU cookie directive

Google __ Zero __ Jann __ describes __ cookies __ be __ by __ , like __ hotspot __ . He __ to __ the __ in __ mode __ such __ ]

Google Project Zero researcher Jann Horn describes ways cookies can be read by intermediaries, like Wi-Fi hotspot providers. He recommends to use the browser in incognito mode in such circumstances.[5]

__ Magic __ were __ used __ computing __ computer __ Lou __ had __ idea __ using __ in __ communications __ June __ ] At __ time, __ was __ employee __ Netscape __ , which __ developing __ e-commerce __ for __ . Vint __ and __ Klensin __ MCI __ technical __ with __ Communications. __ did __ want __ servers __ have __ retain __ transaction __ , which __ them __ ask __ to __ a __ to __ that __ in __ user's __ instead. __ provided __ solution __ the __ of __ implementing __ virtual __ cart.[9][10]

History Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in web communications in June 1994.[8] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for MCI. Vint Cerf and John Klensin represented MCI in technical discussions with Netscape Communications. MCI did not want its servers to have to retain partial transaction states, which led them to ask Netscape to find a way to store that state in each user's computer instead. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.[9][10]

__ kinds __ cookies __ essential __ in __ modern __ . Perhaps __ importantly, __ cookies __ the __ common __ used __ web __ to __ whether __ user __ logged __ or __ , and __ account __ are __ in __ . Without __ a __ , the __ would __ know __ to __ a __ containing __ information, __ require __ user __ authenticate __ by __ in. __ security __ an __ cookie __ depends __ the __ of __ issuing __ and __ user's __ browser, __ on __ the __ data __ encrypted. __ vulnerabilities __ allow __ cookie's __ to __ read __ a __ , used __ gain __ to __ data, __ used __ gain __ (with __ user's __ ) to __ website __ which __ cookie __ (see __ scripting __ cross-site __ forgery __ examples).[1]

Other kinds of cookies perform essential functions in the modern web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs (see cross-site scripting and cross-site request forgery for examples).[1]

__ tracking __ , and __ third-party __ cookies, __ commonly __ as __ to __ long-term __ of __ ' browsing __ - __ potential __ concern __ prompted __ ] and __ . lawmakers __ take __ in __ ] European __ requires __ all __ targeting __ Union __ states __ "informed __ " from __ before __ non-essential __ on __ device.

The tracking cookies, and especially third-party tracking cookies, are commonly used as ways to compile long-term records of individuals' browsing histories - a potential privacy concern that prompted European[2] and U.S. lawmakers to take action in 2011.[3][4] European law requires that all websites targeting European Union member states gain "informed consent" from users before storing non-essential cookies on their device.