The TCP/IP Guide - HTTP State Management Using "Cookies"

Please Whitelist This Site?

I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.

If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.

Thanks for your understanding!

Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide

NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Read offline with no ads or diagram watermarks!

The TCP/IP Guide

Custom Search

The TCP/IP Guide
9 TCP/IP Application Layer Protocols, Services and Applications (OSI Layers 5, 6 and 7)
      9 TCP/IP Key Applications and Application Protocols
           9 TCP/IP File and Message Transfer Applications and Protocols (FTP, TFTP, Electronic Mail, USENET, HTTP/WWW, Gopher)
                9 TCP/IP World Wide Web (WWW, "The Web") and the Hypertext Transfer Protocol (HTTP)
                     9 TCP/IP Hypertext Transfer Protocol (HTTP)
                          9 HTTP Features, Capabilities and Issues

HTTP Security and Privacy

Gopher Protocol (Gopher)

HTTP State Management Using "Cookies"
(Page 3 of 3)

Managing Cookie Use

The RFCs describing the cookie state management technique deal extensively with these and other issues, but there is no clear-cut resolution to these concerns. Like most security and privacy matters, the most important determinant of how significant potential cookie abuse may be is your own personal comfort level. Millions of people browse the Web every day letting any and all sites set whatever cookies they want, and never have a problem. Others consider cookies an offensive idea and disable all cookies, which eliminates the privacy concerns but can cause problems with useful applications like interactive Web sites. As usual, the best approach is usually something in the middle, where you choose when and how you will allow cookies to be set.

The degree to which “cookie control” is possible depends greatly on the quality and feature-set of your Web client software. Many browsers do not provide a great deal of control in how and when cookies are set, where others are much better in this regard. Some allow cookies to be disabled, but come with them turned on by default, and since many people are not even aware of the issues I have mentioned above, they will not even realize when cookies are being sent. Most notable in this regard is the most popular browser in the world, Microsoft’s Internet Explorer, which normally comes set by default to accept all cookies without complaint or even comment.

Internet Explorer does allow you to disable cookies, but you have to do it yourself. It also allows you to differentiate between first-party and third-party cookies, but again, you must turn this on. Other browsers have more sophisticated settings, which will let you dictate conditions under which cookies may be set and others when they may not. Some will even let you allow certain sites to send cookies while prohibiting them from others. Better ones will also you to visually inspect cookies, and selectively clear the ones you do not want on your machine.

Third-party cookies can be used by online advertising companies and others to track the sites that a Web user visits. For this reason, they are considered by many people to fall into the general category of undesirable software called spyware. There are numerous tools that will allow you to identify and remove tracking cookies from your computer; many are available free on the Web.

Key Concept: HTTP is an inherently stateless protocol, because a server treats each request from a client independently, forgetting about all prior requests. This characteristic of HTTP is not an issue for most routine uses of the World Wide Web, but is a problem for interactive applications such as online shopping where the server needs to keep track of a user’s information over time. To support these applications, most HTTP implementations include an optional feature called state management. When enabled, a server sends to a client a small amount of information called a cookie, which is stored on the client machine. The data in the cookie is returned to the server with each subsequent request, allowing the server to update it and send it back to the client again. Cookies thus enable a servers to remember user data between requests. However, they are controversial, because of certain potential privacy and security concerns related to their use.

HTTP Security and Privacy

Gopher Protocol (Gopher)

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!

Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.