This page has been robot translated, sorry for typos if any. Original content here.

Why do I need a cookie?

The fact is that the HTTP protocol is one-time, if you can say so. Those. every time you go to the page, the user starts first, whatever he enters, and what changes would not be made. Cookie helps create the illusion that the user is remembered on the site. The user does not need to enter a hundred times the same information from the page to the page, and even from session to session, it is stored on his disk. The convenience can be attributed also to the fact that this information the user will always be able to change on his disk "on the fly." Cookie can also store other diverse data. For example, the number of visits to a page, the time of visits. With the help of cookie it's not difficult to make a small organizer or basket in a virtual store.

Cookie many do not like because of its insecurity. Many analysts say that this is not a problem, and nothing bad can be done with this technology. I deeply disagree with this, if someone can read information from the cookie file (s), then it is already unsafe. I will result purely theoretical examples, which, if desired, are not difficult to translate into reality.
1. Let's say a user went to a mail site, filled in a form with login'om and password, which are registered in the cookie, even if it is through the Secure Socket Level. The cracker wrote a letter to the user in HTML format with the parameters of reading cookies with passwords. After reading the cookie, the HTML file or asking the user permission to send information to the attacker, where the user can be deceived by the false inscription a la "Errors in Javascript scripts!". Even a fairly experienced user does not hesitate to click OK, after which login and password will be sent to the attacker. Or, the attacker can add the 0th frame, where the information from the cookie will be temporarily stored, which, when answering the message, will be inserted at the end of the letter. All this is easy to do with FORM and Javascript.
2. An example with a virtual store. Let's say we have a hypothetical shop at Making purchases in this store, the user stores information in the cookie. In parallel or before entering the store, the user went to the hypothetical cracker page, where the virtual shop cookie settings were changed. The cracker can change the number of purchases, name, address, and all that is stored in this cookie. I think you would not like it if a couple of monitors were added to your purchases or you took your purchases to the wrong user. It's quite simple to do this if you have a page in the second-level or third-level store domain.

So, for the user the cookie technology is a few files in the% WINDOWS% \ Cookies folder (by default in Internet Explorer), or only one cookie.txt (if it's Netscape Navigator and other browsers). Sites periodically add information to the cookie and they also take it away. Naturally, the Cookie specifications provide some security features.

- Total Cookies can be no more than 300.
- Each cookie can not be more than 4kb.
- No more than 20 Cookies can be received from one second-level domain (plus sub-levels).
- Information from the Cookie of one second-level domain (plus sub-levels) can not be read by other domains.
- If the document is cached, then the information about the cookie is not cached.
- Information in / out of the Cookie can be transferred using SSL.
- If the limit is exhausted, the first entries are deleted. If the cookie becomes more than 4kb, the first bytes are cut.

In order to control the recording and reading cookie, you can use special utilities, but this function is available in almost all Firewalls such as Agnitum Outpost, as well as in the A4Proxy prog, you can ban all cookies with two mouse clicks.