Well Friend the main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it.

The name cookie derives from UNIX objects called magic cookies. These are tokens that are attached to a user or program and change depending on the areas entered by the user or program.



THANK YOU

Cookies are small files sent (or not) to your computer by website needing some informations, mostly user data.



Any information can be sent in a cookie, user session, shopping kart content, but also you ip address...



In fact cookies are a storage facility for internet scripts such as PHP when they require persistent informations. During the sripting, the develloper can decide of the validity period of a cookie so the information can be stored longer. Usually they are stored in a specific folder on your computer, for IE the folder is in /document and settings/[user] ,and for Firefox, they are stored in "application data/firefox/[your profile]".



You can decide in the configuration of your browser not to accept cookies, or to delete them when you close it.



Now an exemple :



I have a site that diffuse news, and hae a special part reserved to members.



So after your first login, everytime you read a news, i update a cookie on your computer with the consitent data, so later when you log in again, the site reads the cookie and can hilight the unread news, or count the number of news you haven't read yet, or tell you if there is some new news.



For instance, Yahoo! uses cookies, so you can for example loh in automatically for two weeks.



Voila !

so u can eat them when your hungry and can't be stuffed to move...





lol







hey pcpy person or what ever your name is....





i don't think you might manage to get down to my answer (coz yours is too long)!!!



anyways thats a great long answer!!!!!!

When ever you visit any website on the Internet then the server on the site sends you the "cookie" which actually contains the information about your session on that website.

Also it can contain other information like your user-id, password if you have checked the "remember my password" tab. You can delete the cookies as they mostly expire after some time.

well, cookies are generally used to save information about user. they are stored in files on our computer harddisk which are used by the browser we are using. generally it is not harmful but smart people can use this information for their benefit too.

for more go to source.,don't need to write that too long.

Cookies without having to read a story:

Website cookies are just text files (like a file you saved in notepad) that has a small bit of information, Yahoo for example will check your cookies for Yahoo logins, if it finds one for today it will know you're the right person and whether your'e logged in or not.

LOL, he wrote a biography of the internet cookie LOL

Holy crap that was a long answer.

Purpose

Cookies are used by Web servers to differentiate users and to operate in a way that depends on the user. Cookies were invented for realizing a virtual shopping basket: this is a virtual device in which the user can "place" items to purchase, so that users can navigate a site where items are shown, adding or removing items from the shopping basket at any time. Cookies allow for the content of the shopping cart to depend on the user's actions.



Allowing users to log in to a website is another use of cookies. Users typically log in by inserting their credentials into a login page; cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to logged-in users.



Several websites also use cookies for personalization based on users' preferences. Sites that require authentication often use this feature, although it is also present on sites not requiring authentication. Personalization includes presentation and functionality. For example, the Wikipedia Web site allows authenticated users to choose the webpage skin they like best; the Google search engine allows users (even non-registered ones) to decide how many search results per page they want to see.



Cookies are also used to track users across a website. Third-party cookies and Web bugs, explained below, also allow for tracking across multiple sites. Tracking within a site is typically done with the aim of producing usage statistics, while tracking across sites is typically used by advertising companies to produce anonymous user profiles, which are then used to target advertising (deciding which advertising image to show) based on the user profile.





[edit] Realisation



A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.Technically, cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. By returning a cookie to a web server, the browser provides the server a means of connecting the current page view with prior page views. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.



Cookie specifications[1][2] suggest that browsers should support a minimal number of cookies or amount of memory for storing them. In particular, an internet browser is expected to be able to store at least 300 cookies of 4 kilobytes each, and at least 20 cookies per server or domain.



Cookies names are case insensitive according to section 3.1 of RFC 2965



The cookie setter can specify a deletion date, in which case the cookie will be removed on that date. If the cookie setter does not specify a date, the cookie is removed once the user quits his or her browser. As a result, specifying a date is a way for making a cookie survive across sessions. For this reason, cookies with an expiration date are called persistent. As an example application, a shopping site can use persistent cookies to store the items users have placed in their basket. This way, if users quit their browser without making a purchase and return later, they still find the same items in the basket so they do not have to look for these items again. If these cookies were not given an expiration date, they would expire when the browser is closed, and the information about the basket content would be lost.





[edit] Misconceptions

Since their introduction on the Internet, misconceptions about cookies have circulated on the Internet and in the media.[3][4] In 2005, Jupiter Research published the results of a survey,[5] according to which a consistent percentage of respondents believed some of the following claims:



Myth: Cookies are like worms and viruses in that they can erase data from the user's hard disks;

Myth: Cookies are a form of spyware in that they can read personal information stored on the user's computer;

Myth: Cookies generate popups;

Myth: Cookies are used for spamming;

Myth: Cookies are only used for advertising.

Cookies are in fact only data, not program code: they cannot erase or read information from the user's computer.[6] However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, that is, they do not contain personal information of the user (name, address, etc.) More precisely, they cannot contain personal information unless the user has made it available to some sites. Even if anonymous, these profiles have been the subject of some privacy concerns.



According to the same survey, a large percentage of Internet users do not know how to delete cookies.





[edit] Browser settings

Most modern browsers support cookies. However, a user can usually also choose whether cookies should be used or not. The following are common options:[7]



cookies are never accepted,

the browser asks the user whether to accept every individual cookie or allows them to generate a white list of acceptable sites, or

cookies are always accepted, or

cookies are accepted, except from sites specified by the user, generating a black list for cookies.



The Firefox Cookie Manager, showing the details of various cookies by domainThe browser may also include the possibility of better specifying which cookies have to be accepted or not. In particular, the user can typically choose one or more of the following options: reject cookies from specific domains; disallow third-party cookies (see below); accept cookies as non-persistent (expiring when the browser is closed); and allow a server to set cookies for a different domain. Additionally, browsers may also allow users to view and delete individual cookies.



Most browsers supporting JavaScript allow the user to see the cookies that are active with respect to a given page by typing javascript:alert("Cookies: "+document.cookie) in the browser URL field. Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.



The P3P specification includes the possibility for a server to state a privacy policy, which specifies which kind of information it collects and for which purpose. These policies include (but are not limited to) the use of information gathered using cookies. According to the P3P specification, a browser can accept or reject cookies by comparing the privacy policy with the stored user preferences or ask the user, presenting them the privacy policy as declared by the server.





[edit] Privacy and third-party cookies

Cookies have some important implications on the privacy and anonymity of Web users. While cookies are only sent to the server setting them or one in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies.





In this fictional example, an advertising company has placed banners in two Web sites (which do not show any banner in reality). Hosting the banner images on its servers and using third-party cookies, the advertising company is able to track the browsing of users across these two sites.Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.



The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single domain but especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.



The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising to see if they then visited sites about drug making and drug use. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers for ten years. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them.[8] On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.[9]



The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies. In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if: 1) the user is provided information about how this data is used; and 2) the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule. This directive was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. The same report suggests a thorough analysis of the situation in the Member States.





[edit] Drawbacks of cookies

Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are at odds with the Representational State Transfer (REST) software architectural style.





[edit] Inaccurate identification

If more than one browser is used on a computer, each has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.



Likewise, cookies do not differentiate between multiple users who share a computer and browser, if they do not use different user accounts.





[edit] Cookie theft



A cookie can be stolen by another computer that is allowed reading from the networkDuring normal operation, cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible to other computers. Cookies theft is any process allowing an unauthorised party to receive a cookie.



A first way cookies can be stolen is via packet sniffing. Traffic on a network can be read by computers on the network other than its sender and its receiver. This traffic includes cookies sent on ordinary HTTP sessions. Users on these computers can read the traffic on the network, including the cookies, using programs called packet sniffers. This problem can be overcome by using the https URI scheme, which invokes Transport Layer Security to encrypt the connection. A server can specify the secure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection.





Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party.A different way to steal cookies is cross-site scripting, which makes the browser itself send cookies to servers that should not receive them. Modern browsers allow execution of pieces of code retrieved from the server. If cookies are accessible during execution, their value may be communicated in some form to servers that should not access them. Encrypting cookies before sending them on the network does not help against this attack.[10]



This possibility is typically exploited by attackers on sites that allow users to post HTML content. By embedding a suitable piece of code in an HTML post, an attacker may receive cookies of other users. Knowledge of these cookies can then be exploited by connecting to the same site using the stolen cookies, thus being recognised as the user whose cookies have been stolen. A way for preventing such attacks is by the HttpOnly flag;[11] this is a Microsoft option that makes a cookie inaccessible to client side script.





Cookie poisoning: an attacker sends a server an invalid cookie, possibly modifying a valid cookie it previously received from the server.

[edit] Cookie poisoning

While cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server. If, for example, a cookie contains the total value a user has to pay for the items in their shopping basket, changing this value exposes the server to the risk of making the attacker pay less than the supposed price. The process of tampering with the value of cookies is called cookie poisoning, and is sometimes used after cookie theft to make an attack persistent.





In cross-site cooking, the attacker exploits a browser bug to send an invalid cookie to a server.Most websites, however, only store a session identifier — a randomly generated unique number used to identify the user's session — in the cookie itself, while all the other information is stored on the server. In this case, the problem of cookie poisoning is largely eliminated.





[edit] Cross-site cooking

Each site is supposed to have its own cookies, so a site like evil.net should not be able to alter or set cookies for another site, like good.net. Cross-site cooking vulnerabilities in web browsers allow malicious sites to break this rule. This is similar to cookie poisoning, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. The goal of such attacks may be to perform session fixation.





[edit] Inconsistent state on client and server

The use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition. As an example, if the shopping cart of an online shop is realized using cookies, the content of the cart may not change when the user goes back in the browser's history: if the user presses a button to add an item in the shopping cart and then clicks on the "Back" button, the item remains in the shopping cart. This might not be the intention of the user, who possibly wanted to undo the addition of the item. This inconsistency contradicts the principles of Representational State Transfer (REST), and can lead to unreliability, confusion and bugs.





[edit] Alternatives to cookies

Some of the operations that can be realised using cookies can also be realised using other mechanisms. However, these alternatives to cookies have their own drawbacks, which make cookies usually preferred to them in practice. Most of the following alternatives allow for user tracking, even if not as reliably as cookies. As a result, privacy is an issue even if cookies are rejected by the browser or not set by the server.





[edit] IP address

An unreliable technique for tracking users is based on storing the IP addresses of the computers requesting the pages. This technique has been available since the introduction of the World Wide Web, as downloading pages requires the server holding them to know the IP address of the computer running the browser or the proxy, if any is used. This information is available for the server to be stored regardless of whether cookies are used or not.



However, these addresses are typically less reliable in identifying a user than cookies because computers and proxies may be shared by several users, and the same computer may be assigned different Internet addresses in different work sessions (this is often the case for dial-up connections). The reliability of this technique can be improved by using another feature of the HTTP protocol: when a browser requests a page because the user has followed a link, the request that is sent to the server contains the URL of the page where the link is located. If the server stores these URLs, the path of page viewed by the user can be tracked more precisely. However, these traces are less reliable than the ones provided by cookies, as several users may access the same page from the same computer, NAT router, or proxy and then follow two different links. Moreover, this technique only allows tracking and cannot replace cookies in their other uses.



Tracking by IP address can be impossible with some systems that are used to retain Internet anonymity, such as Tor. With such systems, not only could one browser carry multiple addresses throughout a session, but multiple users could appear to be coming from the same IP address, thus making IP address use for tracking wholly unreliable.



Some major ISPs, including AOL, route all web traffic through a small number of proxies which makes this scheme particularly unworkable.





[edit] URL (query string)

A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. The PHP session mechanism uses this method if cookies are not enabled.



This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.



Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well.



Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.



Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.





[edit] Hidden form fields

A form of session tracking, used by ASP.NET, is to use web forms with hidden fields. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks. However, it presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source rather than the URL means that it is not noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example). A drawback of this technique is that session information is in the HTML code; therefore, each web page must be generated dynamically each time someone requests it, placing an additional workload on the web server.





[edit] HTTP authentication

As for authentication, the HTTP protocol includes mechanisms, such as the digest access authentication, that allow access to a Web page only when the user has provided the correct username and password. Once these credentials are given, the browser stores and uses them also for accessing subsequent pages, without requiring the user to provide them again. From the point of view of the user, the effect is the same as if cookies were used: username and password are only requested once, and from that point on the user is given access to the site. In the background, the username and password combination is sent to the server in every browser request. This means that someone listening in on this traffic, can simply read this information and store for later use. Session tokens on the other hand, usually expire after not having been used for a while, and thus effectively become useless (i.e. they cannot be used to retrieve the session in which the user was logged-in).





[edit] Macromedia Flash Local Stored Objects

If a browser includes the Macromedia Flash Player plugin, its Local Shared Objects function can be used in a way very similar to cookies. Local Stored Objects may be an attractive choice to web developers because a majority of Windows users have Flash Player installed, the default size limit is 100 kb, and the security controls are distinct from the user controls for cookies, so Local Shared Objects may be enabled when cookies are not.





[edit] Client-Side Persistence

Some web browsers support a script-based persistence mechanism that allows the page to store information locally for later retrieval. Internet Explorer, for example, supports persisting information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.[12]



If JavaScript is enabled, the window.name property of the object window can be used to persistently store data. This property remains unaltered across the loading and unloading of other web pages. This hack is little known, and has therefore not been considered a security risk. Additionally, window.name introduces browser compatibility issues, as Mozilla-based browsers such as Mozilla Firefox do not support JavaScript persistence using window.name.[13]



A different mechanism relies on browsers normally caching (holding in memory instead of reloading) JavaScript programs used in web pages. As an example, a page may contain a link such as