Cookies & Privacy
Google Property Cookies
Doubleclick and Youtube cookies. Doubleclick and YouTube are two companies owned and operated by Google; Doubleclick cookies are referred to as 3rd party because the user never actually visits the Doubleclick site
Overwriting cookies
If a new cookie with the same NAME, domain, and path as an existing cookie is encountered, the old cookie is discarded
Adobe Flash Cookies
also known as locally shared object A bit of text that can be stored on a user's machine. But unlike conventional cookies, Flash cookies can store 100KB of data (much more than 4KB limit), has no expiration date, are not controlled by browser settings but by Adobe Flash Player Settings Manager located on Adobe Macromedia website. They are stored in a .sol file in a special directory. So Adobe Flash cookies are a way for companies to circumvent cookie deletion by the user. BetterPrivacy is a Firefox addon for removing Flash cookies.
Ad network
also known as online advertising network A company that connects advertisers to web sites that want to host advertisements. Key function of an ad network is to place advertisements on the web sites of web publishers who wish to sell advertising space. 4 key players involved in an Ad Network's delivery of ads to users: 1. advertisers that wish to place ads 2. website owners who wish to make money by selling ad space on their websites 3. Ad network that signs up advertisers and places their ads on the web pages of website owners 4. visitors who view web pages that contain ads. When a visitor requests a web page, ad network is notified and it supplies on ad from its inventory to appear on the web page that was requested. Advertiser will pay the ad network for placing its ads and the ad network will return a portion of that fee to the website owner.
Retrieving a cookie in JavaScript
function getCookie(name) { var re = new RegExp(name + "=([^;]+)"); var value = re.exec(document.cookie); return (value != null) ? unescape(value[1]) : null; } <scrpt type="text/javascript"> document.write(getCookie("field1")); </scrpt>
Deleting cookies
There is no specific mechanism for deleting cookies, although a common hack is to overwrite a cookie with a bogus value as outlined above, pus a backdated or short-lived expires=
6 ways to opt out of cookies
1. Select "do not track" in your browser settings (Firefox 9+, Chrome, Safari 5.1+, IE 9/10) 2. Download opt-out cookies: Process usually involves clicking on a button to download the opt-out cookie 3. Use cookie management tools in your web browser (set browser to accept only session cookies or to turn all cookies into session cookies which are usually harmless) 4. View current cookies and delete what you don't need 5. Check your account preferences on registration sites 6. Use browser add-ons
Cookie Processing Algorithm
1. URL is requested (either by entering one into address field or clicking on a link) 2. Browser scans its Cookie database for any cookies whose domain and path matches the requested URL 3. If any are found, all the cookies are sent along with the request as part of the HTTP headers (value of Cookie) Cookie: NID=77=AITJ83oyT_0OAB8c4ogH1JKOxUwf3w9SMg5tcZUjnqq_3mKK1AQTMPPIET1Q2FL1jaKpK-NFJ_v-HT469S0DKl5SYn6Ct_1bGdn0xbbUdLABnqUDneClbdgsG1iFcKqZdfur3w9nN3VyQ 4. Server side programs may/may not make use of any cookies from the client to determine what page to return 5. Server side program may generate 1+ cookies and send them along with the request page; cookies are included in the HTTP headers returned to the browser (value of Set-Cookie) Set-Cookie: NID=77=AITJ83oyT_0OAB8c4ogH1JKOxUwf3w9SMg5tcZUjnqq_3mKK1AQTMPPIET1Q2FL1jaKpK-NFJ_v-HT469S0DKl5SYn6Ct_1bGdn0xbbUdLABnqUDneClbdgsG1iFcKqZdfur3w9nN3VyQ; expires=Tue, 30-Aug-2016 22:02:31 GMT; path=/; domain=.google.com; HttpOnly 6. Browser stores any new cookies into its database; cookies can be accessed on the client using the document.cookie object in Javascript. Each name-value pair represents a single cookie. A single cookie can hold up to 4kb of text, and for each domain name y our browser will normally permit up to 20 cookies.
Cookie-based marketing steps
1. User computer to web server GET User requests a page and sends Cookie based info including its user ad server id and IP address 2. web server to ad server SEND website sends the user ad server id and ip address to the ad server 3. ad server to web server GET ad server returns consumer profile and or targeted banner ad 4. web server to user computer SEND website returns the regular page content including targeted advertising
Loading cookie values into the form
1. display the FORM as before with no values entered 2. use JavaScript to read cookies and insert their values into the FORM <scrpt type="text/javascript"> if (field1 = getCookie("field1")) document.myForm.field1.value = field1; if (field2 = getCookie("field2")) document.myForm.field2.value = field2; if (field3 = getCookie("field3")) document.myForm.field2.value = field3; </scrpt> these lines need to appear in the HTMl only after the form has been displayed otherwise they will be trying to access form fields that don't yet exist.
View Cookie PHP
<?php if(isset($_COOKIE["username2"])) { echo "The new cookie <b>username2</b> contains the value " . $_COOKIE["username2"]; } ?>
Set Cookie PHP
<?php setcookie("username2", "Barney rubble", time() + 3600); ?> <a href="viewcookie.php">Click here to view the cookie</a><br/><br/> Here is the code that produces this page <br> <?php highlight_string('setcookie("username2", "Barney rubble", time() + 3600);'); ?>
setCookie() JavaScript usage
<scrpt type="text/javascript"> function storeValues(form) { setCookie("field1", form.field1.value); setCookie("field2", form.field2.value); setCookie("field3", form.field3.value); return true; } </scrpt> Most browsers have a limit on how many cookies they can store at any one time per domain as well as in total numbers so using too many cookies can lead to a loss of data. A better method would be to store all the values in a single cookie.
setCookie() JavaScript function implementation
<scrpt type="text/javascript"> var today = new Date(); var expiry = new Date(today.getTime() + 30x24x3600x1000); //plus 30 days function setCookie(name, value) { document.cookie=name + "=" + escape(value) + "; path=/ expires=" + expiry.toGMTString(); } </scrpt>
deleteCookie() usage
<scrpt type="text/javascript> function clearCookies() { deleteCookie("field1"); deleteCookie("field2"); deleteCookie("field3"); } </scrpt>
Site Visit Example
A cookie can maintain a count of the number of times a client has visited your site <html><head><scrpt language=javascript src=cookies.js></scrpt></head><body> <scrpt language=javascript> var expire = new Date(21, 12, 31); var numHits = getCookie("hits"); if(numHits) { numHits = parseInt(numHits) + 1; document.write("You have visited this site " + numHits + " times"); } else { numHits = 1; document.write ("Welcome this is your first visit"); } setCookie("hits", numHits, expire); </scrpt></body></html>
Elements of a Cookie
A cookie is associated with a website's domain and includes: name, value, path, and expiration date Ex (from research.google.com) - Name: _utma - Content: 180832036.353394603.1325873813.1325873813.1329750652.2 - Domain: .research.google.com - Path: / - Created: Monday, February 20, 2012 7:12:45 AM - Expired Wednesday, February 19, 2014 7:12:45 AM Such cookies referred to as HTTP cookies because placed there using HTTP protocol as the delivery mechanism
Stale Cookies
A cookie will reside in your browser until (a) it is deleted either by you or by the website that set it, (b) it is 'rolled out' to make way for a newer cookie, (c) or it reaches it's expiry date If the limit of the # of cookies has been reached and a new one is set, the oldest cookie will be expired to make way for the new one (FIFO) Common oversight: setting a cookie with an expiry date (ex. 1 yr) and then never re-setting the cookie. After one year, regardless of other actions, the cookie will expire. If you have a website that relies on cookies to save user preferences or identify repeat customers you should make sure to reset the cookie every time they visit
DoubleClick
Ad network purchased by Google for $3.1B in 2007 When a user invokes web page, a tag on the page signals Doubleclick's server to delete into its inventory of advertisements to find one that matches the marketer's needs with the user's profile. Doubleclick will read multiple criteria including: user location (embedded in a user's Internet address), time of day, cookies previously placed on the user's disk which can further refine the target by telling DoubleClick whether someone is a repeat visitor or has already seen a specific ad
"Protected" cookies
As a security features, some cookies set may be marked with a special secure keyword, which causes them to be sent over HTTPS only
Cookie Types and Taxonomy
By Lifespan: Session Cookies (stored in RAM), Persistent Cookies (stored on disk) By Read-write mechanism: Server-side cookies (included in HTTP Headers), Client-side cookies (manipulated with Javascript) By Structure: Simple cookies, array cookies Session cookies exist only which user is reading and navigating the website; browser normally delete session cookies when the user exits the browser Persistent cookies (tracking cookies) have expiration date Secure cookies have secure attribute enabled and are only used via https (so cookie is always encrypted) 3rd party cookies are not from the "visited" site
Cookie scope
By default, cookie scope is limited to all URLs on the current host name. May be limited with the path= parameter to specify a specific path prefix to which the cookie should be sent, or broadened to a group of DNS names rather than single host only with domain=
Cookie time to live
By default, each cookie has a lifetime limited to the duration of the current browser session. Alternatively, an expires= parameter may be included to specify the date at which the cookie should be dropped.
Finding Cookies in browser
Chrome: customize > Settings > Advanced > Privacy and security > Content settings > Cookies -> see all cookies and site data Firefox: open menu > preferences > privacy & security > browser privacy > cookies and site data > manage data ... Safari: Safari menu > Preferences > Privacy > Manage Website Data...
Supercookie
Cookie with an origin of a top-level domain (TLD). But even .co.uk or .k12.ca.us are considered top level even though they are multiple levels deep. These domains are referred to as public suffixes and are not open for reservation by end-users. Most browsers by default allow 1st party cookies--a cookie with domain to be same or subdomain of the requesting host. For example, a user visiting www.ex.com can have a cookie set with domain www.ex.com or .ex.com. A supercookie is a cookie originating from a Public Suffix or TLS such as .com. It is important that these cookies are blocked by browsers otherwise an attack in control of malicious website with domain .com could get a supercookie and potentially disrupt or impersonate legitimate user requests to ex.com. Because a supercookie can take advantage of the fact that .com can set valid cookies for subdomain ex.com Verizon tracks customer habits on smartphone sand tablets using a supercookie
Third Party cookies
Cookies set with different domain (or subdomain) than the one in the browser's address bar. These cookies may be placed by an advertisement on the page or an image on the page. RFC 6265 allows browsers to implement whatever policy they wish regarding third party cookies. Advertisers use 3rd party cookies to track a user across multiple sites (a user visits www.company1.com which sets a cookie with domain ad.adtracking.com; later same user visits www.company2.com which also sets a cookie with domain ad.adtracking.com. Eventually both cookies will be sent to advertiser who will known the two sites visited
Public suffix list
Cross-vendor initiative to provide an accurate list of domain name suffixes changing. Older version of browsers may not have the most up-to-date list and therefore be vulnerable to supercookies from certain domains
Web Tracking Protection specification
Designed to enable users to opt out of online tracking. Platform has two parts: Filter lists: enforce user privacy preferences by preventing the user agent from making unwanted requests to webservers that track users > Contains parts of 3rd party URIs that a browser may access automatically when referenced within a web page that a user deliberately visits. Rules in filter list may change the way user agent handle 3rd party content. By limiting calls to these websites and blocking resources from other web pages, filter list limits the info other sites can collect about the user User preference: HTTP header and a DOM property to be used by web servers to respect the user's privacy
Opt-out's Do not track
Firefox: Preferences > Privacy & Security > check "use tracking protection in private browsing..." > select "always" in send websites a "do not track" signal Chrome: Preferences > Settings > Advanced > Privacy and security > check "send a 'do not track' request with your browsing traffic" Safari: Preferences > Privacy > check "ask websites not to track me" IE10: Internet options > Advanced > Settings > Security > always send Do Not Track header (not for IE11)
How does Google use cookies for Google Analytics
Google Analytics is Google's free web analytics tool that helps website owners understand how their visitors engage with their website. Google analytics collects info anonymously and reports website trends without identifying individual visitors. Analytics uses its own set of cookies to track visitor interactions. These cookies are used to store info such as time of current visit, previous visits, and referred site. A diff set of cookies is used for each website and visitors are not tracked across sites. Available for IE11, Chrome, Firefox, Safari, and Opera. To disable cookie, you can install Google Analytics Opt-out Add-on in your browser, which prevents Google Analytics from collecting into about your website visits. Used to distinguish unique users and throttle the request rate
How Google uses DoubleClick cookie to serve ads
Google uses DoubleClick cookie to collect info that includes: time: 06/Aug/2011 12:01:32 (reflects time the ad was displayed) ad_placement_id: 105 ad_id: 1003 (identify advertising campaign and specific ad served) userid: 0000000001 (display ad cookie that identifies the browser) client_ip: 123.45.67.89 (reflects user's Internet Protocol IP address) referral_url: "http://youtube.com/categories" (indicates URL of the page where ad was served, logs also record whether user's browser clicks or interacts with an ad) Opting out: anyone who prefers not to see ads with this level of relevance can opt out. This out out will be specific only to the browser that you are using when you click the "Opt out" button
Conversion Tracking Cookie
Google uses cookies to help businesses that buy ads from Google determine how many people who click their ads end up purchasing their products. Conversion tracking cookie is set on your browser only when you click an ad delivered by Google where the advertiser has opted in to conversion tracking. These cookies expire within 30 days and do not contain info that can identify you personally. If this cookie has not yet expired when you visit certain pages of the advertiser's website, Google and the advertiser will be able to tell that you clicked the ad and proceeded to that image. Each advertiser gets a different cookie so no cookie can be tracked across advertiser websites. If you want to disable conversion tracking cookies you can set you browser to block cookies from the googleadservices.com domain
What cookies can't do
Have automatic access to personal info like name, address, email Read/write data to disk Read/write info in cookies placed by other sites Run programs on your computer As as result they cannot carry virus and cannot install malware on host computer
HTMLCanvasElement
Interface provides properties and methods for manipulating the layout and presentation of <canvas> elements. The HTMLCanvasElement interface also inherits the properties and methods of HTMLElement interface. Properties: height, width, mozOpaque (boolean), moz Methods: captureStream(), getContext(), toDataURL(), toBlob(), transferControlToOffscreen(), mozGetAsFile()
Evercookie
Javascript API that produces extremely persistent cookies in a browser. When creating a new cookie, it uses the following storage mechanisms when available: Standard HTTP Cookies, Local shared objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out, storing cookies in web history, storing cookies in HTTP ETags, storing cookies in web cache, window.name caching, IE userData storage, HTML5 Session storage, HTML5 Local storage, HTML5 Global Storage, HTML5 Database Storage via SQLite By Samy Kamkar
Client-Side Cookies
Javascript has a property of the document named cookie: document.cookie This is a string variable that can be read and written using the JavaScript string functions Cookies can be removed from the cookie database either because it expires or because the cookie file gets too large (browsers need not store more than 300 cookies nor more than 20 cookies per web server nor more than 4K per cookie). Setting document.cookie creates a new cookie for the web page Reading document.cookie retrieves all defined cookies
Authentication cookies
Most common method used by web servers to known whether the user is logged in or not and which account they are logged in with
Global Object
Object that always exists in the global scope. In JavaScript, there is always a global object defined. In a web browser, when scripts create global variables, they're created as members of the global object (except w/ Node.js). The global object's interface depends on the execution context in which the script is running: > In a web browser, any code which the script doesn't specifically start up as a background task has a Window as its global object var foo = "foobar"; foo === window.foo; //true stored like: foo: "foobar" function greeting( ) { console.log("Hi!"); } window.greeting(); greeting: function greeting( ) { console.log("Hi!"); } > Code running in a Worker has a WorkerGlobalScope object as its global object Scripts running under Node.js have an objected called global as their global object.
Canvas fingerprinting
One of a number of browser fingerprinting techniques for tracking online users that allows websites to uniquely identify and track visitors without the user of browser cookies. Primarily it makes use of the Canvas API of HTML5, relies on the fact that the drawing of the text will contain subtle differences that arise from font rasterization, anti-aliasing, pixel smoothing, related to the browser, etc. 4 step process followed: 1. user visits a page 2. fingerprinting script draws text with specific font and size and adds background colors 3. script calls Canvas API's ToDataURL method to get the canvas pixel dataURL formal (base64 encoded representation of binary pixel data) 4. script takes the hash of the text-encoded pixel data and uses that as the fingerprint. While not sufficient to uniquely identify users by itself, this fingerprint is usually combined with other sources of the information (browser plugins) to provide a unique identifier.
deleteCookie() function implementation
Set a new cookie with an expiry date in the past. This overwrites the previous cookies and the new one instantly expires <scrpt type="text/javascript"> var expired = new Date(today.getTime() - 24*3600*1000); //less 24 hours function deleteCookie(name) { document.cookie = name+"=null; path=/; expires=" + expired.toGMTString(); } </scrpt>
Cookie
Short pieces of text generated during web activity and stored in the user's machine by the user's web browser for future reference. Created by website authors who write software for reading and writing cookies. Initially used so websites would remember that a used had visited before, allowing customization of cites without need for repeating preferences.
What cookies can do
Store and manipulate any info you explicitly provide to a site Track your interaction with the site such as pages visited, time of visits, number of visits Use any information available to the web server including: your IP address, Operating System, Browser Type
_utma cookie
Used to determine the unique visitor, visit count, and recency [domain identifier (hash key)].[unique visitor id].[timestamp of first visit].[timestamp of previous visit].[timestamp of current visit].[total visits]
Cookie based marketing
User customized online advertising and marketing system that uses cookies and databases to create, maintain, and utilize consumer profiles and monitor their activity. Ad serving companies make agreements with website owners. Website owners agree to send cookies from ad serving companies to their clients. When a user visits another such site, it sends data placed in your cookies to the ad serving company which retrieves marketing info about you from their database enabling them to customize the resulting ad Result: one person may see ads for sporting goods and another for baby clothes
Javascript cookie library
We have defined three JavaScript functions for handling cookies - setCookie( name, value, expiry ) - getCookie( name ) - removeCookie( name ) • Instead of including them in every html page that manipulates cookies, one can save them in a file, e.g. cookies.js and include the line < SCRPT language=JavaScript src=cookies.js> . . . </SCRPT>
escape() and unescape()
functions that are properties of the "global object" escape(s) returns a new version of string s that is encoded (all spaces, punctuation, accented characters, and other non-ASCII letters or numbers are converted to %xx format ISO-8859-1) Special characters are encoded with an exception of: @ asterisk _ + - . / unescape(s) returns a new version of string s that is decoded (all %xx are replaced by their character equivalent) Usually decodeURI or decodeURIComponent are preferred over unescape
DoubleClick Ad Tag
http://ad.doubleclick.net/ADJ/publisher/zone;topic=abc;sbtpc=def;cat=ghi;kw=x yz;tile=1;slot=728x90.1;sz=728x90;ord=7268140825331981? http://ad.doubleclick.net/ - host address for ad server ADJ/ - defines ad type which can be {images, XML, scripts} publisher/ - identifies website publisher (e.g. www.nytimes.com zone; - identifies landing page at the publisher's site topic=abc; - identifies whatever topic is being talked about sbtpc=def; - subtopic level kw=xyz; - keyword level tile=1; there may be multiple ads on the same page, each has a tile number slot=728x90.1; - defines size of ad (728x90) for tile 1 ord==7268140825331981? - random number that prevents page from being cached
Removing a cookie in JavaScript
var expired = new Date(today.getTime() - 24*3600*1000); // less 24 hours function removeCookie(name) { document.cookie=name + "=null; path=/; expires=" + expired.toGMTString(); } creates an early date (24 hour early) and attaches it to the expires directive and assigns the name to the null string
Creating a cookie in JavaScript
var today = new Date(); var expiry = new Date(today.getTime() + 30*24*3600*1000); //plus 30 days function setCookie(name, value, expiry) { document.cookie = name + "=" + escape(value) + "; path=/; expires=" + expiry.toGMTString(); } produces a cookie that looks like: name= value; path=/; expires= date;
Values cookies cannot contains
white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons (values encoded into their hex equivalents)