Why do I need a cookie?

The fact is that the HTTP protocol is one-time, if you can say so. Those. Every time you go to the page, the user starts first, whatever he enters, and what changes would not be made. Cookie helps create the illusion that a user is remembered on the site. The user does not need to enter a hundred times the same information from the page to the page, and even from session to session, it is stored on his disk. The convenience can be attributed also to the fact that this information the user will always be able to change on his disk "on the fly." Cookie can also store other diverse data. For example, the number of visits to a page, the time of visits. With cookies, it's easy to make a small organizer or basket in a virtual store.

Cookie many do not like because of its insecurity. Many analysts say that this is not a problem, and nothing bad can be done with this technology. I deeply disagree with this, if someone can read information from the cookie file (s), then it is already unsafe. I will give purely theoretical examples, which, if desired, are not difficult to translate into reality.
1. Let's say a user went to a mail site, filled out a form with login'om and password, which were registered in the cookie, even through the Secure Socket Level. The cracker wrote a letter to the user in HTML format with the parameters of reading cookies with passwords. After reading the cookie, the HTML file or asking the user permission to send information to the attacker, where the user can be deceived by a false inscription a la "Errors in Javascript scripts!". Even a fairly experienced user does not hesitate to click OK, after which login and password will be sent back to the attacker. Or, the attacker can add the 0th frame, where the information from the cookie will be temporarily stored, which, when answering the message, will be inserted at the end of the letter. All this is easy to do with FORM and Javascript.
2. An example with a virtual store. Suppose we have a hypothetical shop shop.provider.com. Making purchases in this store, the user stores information in the cookie. In parallel or before entering the store, the user went to the hypothetical hacker.provider.com cracker page, where the virtual shop cookie settings were changed. A cracker can change the number of purchases, name, address, and everything that is stored in this cookie. I think you would not like it if a couple of monitors were added to your purchases or your purchases were not taken to the wrong user. It's quite simple to do this if you have a page in the second-level or third-level store domain.

So, for the user the cookie technology is a few files in the% WINDOWS% \ Cookies folder (by default in Internet Explorer), or only one cookie.txt (if it's Netscape Navigator and other browsers). Sites periodically add information to the cookie and it is also taken away. Naturally, the Cookie specifications provide some security features.

- A total of Cookies can be no more than 300.
- Each cookie can not be more than 4kb.
- No more than 20 Cookies can be received from one second-level domain (plus sub-levels).
- Information from the Cookie of one second-level domain (plus sub-levels) can not be read by other domains.
- If the document is cached, the cookie information is not cached.
- Information in / out of the Cookie can be transferred using SSL.
- If the limit is exhausted, the first entries are deleted. If the cookie becomes more than 4kb, the first bytes are cut.

In order to control the recording and reading cookie, you can use special utilities, but this function is available in almost all Firewalls such as Agnitum Outpost, as well as in the A4Proxy program you can ban all cookies with two mouse clicks.