This page has been robot translated, sorry for typos if any. Original content here.

Why is a cookie needed?

The fact is that the HTTP protocol is a one-time protocol, so to speak. Those. each time entering the page, the user starts over again, whatever he may enter, and what changes he would not make. A cookie helps to create the illusion that the user is remembered on the site. The user does not need to enter hundreds of times the same information from page to page, and even from session to session, it is stored on his disk. The convenience can also be attributed to the fact that the user can always change this information on his disk on the fly. Cookies can also store other miscellaneous data. For example, the number of visits of a page, the time of visits. Using a cookie is not difficult to make a small organizer or shopping cart in a virtual store.

Many do not like cookies because of its insecurity. Many analysts say that this is not a problem, and nothing bad can be done with this technology. I deeply disagree with this, if someone can read the information from the cookie file (s), then it is already unsafe. I will give purely theoretical examples that, if desired, are not difficult to translate into reality.
1. Suppose a user has logged on to a mailing site, filled out a form with a login and password that has been registered in a cookie, even if it is enabled via Secure Socket Level. The burglar wrote a letter to the user in HTML format with the parameters of reading cookies with passwords. After reading a cookie, an HTML file, or asking the user for permission to send information to a cracker, where the user can be fooled by the false inscription a la "Errors in Javascript scripts!". Even a fairly experienced user will click OK without thinking, after which the login and password will be sent to the hacker. Or a hacker can add a 0th frame, which will temporarily contain information from the cookie, which, when replying to a letter, will be inserted at the end of the letter. All this is easy to do with FORM and Javascript.
2. Example with a virtual store. Suppose we have a hypothetical shop Making purchases in this store, the user stores the information in the cookie. In parallel or before entering the store, the user went to the hypothetical hacker page, where the virtual store cookie settings were changed. A hacker can change the number of purchases, name, address, and all that is stored in this cookie. I think you would not like it if you added a couple of monitors to your purchases or brought your purchases to the wrong user. It is quite simple to do this if you have a page in the domain of a store of the second or third level.

So, for a user, the cookie technology consists of several files in the% WINDOWS% \ Cookies folder (by default in Internet Explorer), or just one cookie.txt file (if it is Netscape Navigator and other browsers). Sites periodically add information to the cookie and take it away. Naturally, the cookie specifications provide some security features.

- There can be no more than 300 cookies.
- Each cookie cannot be more than 4kb.
- From one second-level domain (plus sublevels) more than 20 cookies cannot be received.
- Information from Cookies of one second-level domain (plus sublevels) cannot be read by other domains.
- If the document is cached, the cookie information is not cached.
- Information to / from the cookie can transmit using the SSL protocol.
- If the limit is exhausted, the first entries are deleted. If the cookie becomes larger than 4kb, the first bytes are cut.

In order to control the recording and reading of cookies, you can use special utilities, but this function is found in almost all Firewalls, such as Agnitum Outpost, and in A4Proxy, you can disable all cookies with two mouse clicks.