A cookie It is a small piece of information sent by a web site and stored in the user's browser, so that the website can consult the previous user activity.
Its main functions are:
- Keep track of users: when a user enters their username and password, a cookie is stored so you do not have to be introducing them to each page server. But nevertheless, a cookie does not identify only one person, but a combination of computer-browser-user.
- Getting information about the user's browsing habits, and spyware attempts (spyware), by advertising agencies and other. This can cause privacy problems and is one of the reasons why the cookies have their detractors.
Cookies can be deleted, accepted or blocked as desired, for this should only be conveniently set up the web browser.
Cookies are commonly used by web servers to differentiate users and to act differently depending on these.
Cookies are also used to track users across a website. Tracking in one place usually done with the intention to maintain usage statistics, while tracking across sites usually it aimed at creating anonymous user profiles by advertising companies, then they are used to target advertising campaigns (decide what kind of advertising use) based on user profiles.
Since its introduction in Internet have circulated misconceptions about cookies. In 2005 Jupiter Research published the results of a study, whereby a significant percentage of respondents believed some one of the following statements:
- Cookies are similar to worms and viruses that can erase data from the hard drives of users.
- Cookies are a type of spyware that can read personal information stored on computer users.
- Cookies generate popups.
- Cookies are used to generate spam.
- Cookies are only used for advertising purposes.
Actually, Cookies are data only, no code, then they can not erase or read information from computer users. But nevertheless, Cookies can detect the pages visited by a user at a given site or set of sites. This information can be collected in a user profile. These profiles are usually anonymous, that is to say, do not contain personal user information (first name, address, etc). In fact, They can not contain it unless the user has forwarded to any of the sites visited. But although anonymous, These profiles have been some concerns about privacy.
According to the same report, a large percentage of Internet users do not know how to delete cookies.
Most modern browsers support cookies. But nevertheless, a user can usually choose whether cookies should be used or not.
The browser can also include the ability to better specify what cookies should be accepted and which not. Specific, the user can normally accept any of the following options: reject cookies from certain domains; reject third party cookies; accept cookies as non-persistent (They are deleted when the browser is closed); allow the server to create cookies for a different domain. further, browsers can also allow users to view and delete cookies individually.
Cookies have important implications for privacy and anonymity of Web users. Although cookies only to the server that defined or another ship in the same domain, a web page may contain images and other components stored on servers in other domains. The cookies that are created during the requests of these components are called third-party cookies.
Advertising companies use third-party cookies to track users across multiple sites. Specific, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows these companies to target advertising according user preferences alleged.
The possibility of creating a user profile has been viewed as a potential threat to privacy, even when tracking is limited to a single domain, but especially when across multiple domains using third-party cookies. For that reason, some countries have legislation about cookies.
- the user receives information on how the data are used;
- the user has the possibility to reject this operation.
But nevertheless, This article also states that storing data that is necessary for technical reasons is permitted as an exception.
If more than one browser is used on a computer, each has its own storage of cookies. Thus, Cookies do not identify a person, but a combination of user account, computer and browser. In this way, anyone who uses multiple accounts, several computers, or multiple browsers, also it has multiple sets of cookies.
In the same way, cookies do not differentiate between several people using the same computer or browser, if they do not use different user accounts.
Robo de cookies
Cross-site scripting allows the value of the cookies sent to servers that normally would not receive such information. Modern browsers allow execution of code segments received from the server. If cookies are accessible during execution, its value can be communicated in any way to servers that should not access them. The process that allows an unauthorized party receiving a cookie is called stealing cookies, and encryption does not work against this type of attack.
This possibility is typically exploited by attackers of sites that allow users to send HTML content. Introducing a segment appropriate HTML code in a shipment, an attacker may receive cookies from other users. Knowledge of these cookies can then be exploited by connecting to the places where the stolen cookies are used, It is thus identified as the user who stole the cookies.
Falsification of cookies
Although cookies must be stored and sent back to the server without changing, an attacker could modify the value of cookies before returning. And, for example, a cookie contains the total value of the purchase of a user on a website, changing that value the server could allow an attacker pay less than they should for their purchase. The process of modifying the value of the cookies called cookies counterfeit and often performed after stealing cookies to persistent attack.
But nevertheless, most websites only stored in the cookie a session identifier-a unique number used to identify the session of the user- and other information is stored on the server itself. In this case, the problem of counterfeiting of cookies is virtually eliminated.
Cross-site cooking (cross-site cooking)
Each site must have their own cookies, malo.net so that a site does not have to modify or set cookies from another site as bueno.net. Vulnerabilities of cross-site cooking (cross-site cooking) browsers allow malicious sites to break this rule. This is similar to the falsification of cookies, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the website directly. The aim of these attacks may perform a session fixation (session hijacking on a website).