Computing [Home Page]
---------------------------------------------------------------------------

Web Cookies and Security

Security Infrastructure Project, 14 June 2002
Overview Notes
Persistent and Non-Persistent Cookies   
Browser Setup Notes and Tricks Cookie Demonstration

Issue: Campus Web Sites Using Persistent Cookies

Campus web sites are beginning to use persistent cookies for important services.  The usual purpose is to preserve "login" session state.  This is unnecessary and dangerous.  Non-persistent cookies can be used anywhere persistent cookies can be used.

Recommendation:
Use and accept only non-persistent cookies for login session management.  Servers that need to remember user preferences can do so as part of their stored login information not cookies.

Overview

A web server can store data on your computer and retrieve it later using a token called a "cookie".  This feature is controversial because it can both provide nice features while web browsing and can be used to invade your privacy and even compromise your computer.

Cookies are often used to capture data about your online behavior, and only sometimes for personalizing a site according to your preferences.  Cookies can also be placed by and later used by installer programs, viruses and Trojans.

Persistent and Non-Persistent Cookies   

Persistent cookies are stored on your computer hard disk.  They stay on your hard disk and can be accessed by web servers until they are deleted or have expired.  Persistent cookies are not affected by your browser setting that deletes temporary files when you close your browser.

Non-persistent cookies are saved only while your web browser is running.  They can be used by a web server only until you close your browser.  They are not saved on your disk.  Microsoft Internet Explorer and other browsers can be configured to accept non-persistent cookies but reject persistent cookies. Non-persistent cookies are also called session cookies.

Cookie Demonstration and Test

The following is a simple test of cookies.  It sets a series of cookie values, "TestCookie*", and allows you to check their values.

Cookie Demonstration and Test  

Browser Setup Notes and Tricks

Each browser and each version of a browser have different configurations options and behaviors relating to cookies and security. 

A trend in browsers (and in personal security software) is to selectively allow or block cookies on a case-by-case or a per-server basis.  This is a useful feature, but it is hard for a non-expert user to know for sure when to allow cookies.  These features currently do not tell if the cookie is persistent or non-persistent.  Site administrators could make use of this feature to allow certain campus sites and block others, but this would only work if the browser settings are locked-down so that the end-user cannot change them.

Notes

  • A cookie can be set in your computer by an image file in a web-enabled email program, then read later by other web sites.  This can be used to track your use and other nefarious purposes.
  • A cookie can be stored on your computer by any executing program such as an installer, virus, or Trojan.  Such a program can access anything on your computer and deliver it later to a web site you visit (such as for help pages or on-line registration).

Page modified: 06 Nov 2011 14:36:28 -0800

--------------------------------------------------
[Back to Top   [Home Page]