Breastfeeding Basics: HTTP Cookies

HTTP Cookies, a culinary diversion

I won't get too technical here. There's plenty of technical information about cookies on the web already. The bottom line is that advertisers want to know a lot about you. They are hungry for knowledge about what you buy and thirsty for information about what you like and what you don't. Why they don't just go get a pizza and beer is beyond me.

HTTP cookies look like the outback steakhouse to these folks, because if they can cunningly get you to identify yourself electronically every time that you see one of their little web adverts, or every time you buy one of their products, or even whenever you visit any old web page that they may have gotten their greed..., uhm palms on, then they can gather a lot of data about you. To what use ``they'' might put all this data is unclear, but some skeptics and cynics out there have suggested some scary ideas.

So, how does it work?

Actually the first question is why is it necessary? Can't they just track you without these cookies? The answer to that is a qualified ``no''. To put it simply, each time you access an item from a web site (a page of HTML, an image, a java program, etc.) you make a separate ``internet phone call'' to get that item. A fancy page might cause your browser to make dozens of these phone calls (technically: TCP connections) to possibly several different web servers operated by different organizations. These TCP connections don't provide much information to the web server - basically just an internet address (ie: your internet phone number). But your internet address might really be one that is on ``temporary loan'' from your ISP (dynamically assigned), or it might be the address of a machine at your ISP that is acting as a proxy for your request, or the address of your organization's firewall server, or even the address of a server in your organization that many different people use to get through to the net, and I haven't even mentioned NAT...

Then when you go to lunch and relinquish your borrowed IP address someone else may get that address a few minutes later. When you come back from lunch and eagerly log back on, you will probably get a different IP address from the one you had before lunch. So, the poor web server can't make much headway by tracking hits from a particular IP address.

Thus, we come to cookies. These are little snippets of data that consist of a name (eg: ``webvert_id''), some data (eg: ``EOBJGTO4868U32HJDE'') and an expiration date (eg: January 31, 2050). When one of these is sent to your browser by www.webvert.com (no offense meant to the owner of that name, if anyone owns it) your browser squirrels it away in memory and in a file (possibly without you even knowing it) where it might live until Jan 31, 2050. (Sure, probably not, but perhaps until you replace your browser or your operating system or your computer).

Now, every time you ask www.webvert.com for another piece of info, (usually indirectly through some web page that uses Webvert, Inc. as their advertising broker) your browser dutifully sends back this cookie. This identifies you.

Ok, so far all they can do is keep track of where user number EOBJGTO4868U32HJDE likes to browse. But they may be able to build up quite a lot of info. on your interests, hobbies, purchasing habits, perversions, subversive activities, etc.

Big deal right?

Well, yeah, no problemo... until they somehow manage to connect your name, e-mail address, phone number, fax number, street address, etc. with EOBJGTO4868U32HJDE. And yes, you can bet they are counting on you slipping up and giving them this info. It might happen when you order a product over the internet and give the merchant some or all of this info, and the merchant hands it off to Webvert, Inc. as a condition of their business arrangement.

Now that profile that they have of you can be connected to who you are and it becomes valuable. Here comes more junk mail, more junk phone calls, more junk faxes, or maybe a call from your ex-spouse's lawyer wondering where you got the money for that new diamond tiara when you can't seem to pay your alimony. You get the picture.

Onward

That's what a lot of the fuss is about. The problem is that these cookies can be really useful. They could even potentially reduce the junk solicitations that you get, and cause you to get accurately targeted stuff that you might really be interested in (I doubt it, but ...).

More to the point, they can be used to allow a web server to remember stuff for you. That's what we are doing here - remembering the last ten pages that you visited so you can jump right back where you were, or more easily backtrack to that stuff you read a few pages back. Remembering literature references for you so that you can go look them up later (some of the medical literature that we cite here is still not on the web).

Other applications abound. A couple of the more obvious and useful is to save you from having to remember and enter a password every time you visit a site that you are a ``member'' of, and to implement the ``shopping cart'' metaphor that online stores use.

So, I have to recommend that you get a recent browser that gives you a lot of control over which cookies you actually will accept, and that you always enable an alert when a server tries to set a cookie. The result will sometimes be a whole bunch of cookie alerts. Just don't patronize sites that pepper you with cookies that you don't want. You should also learn where your browser stores cookies so that you can delete those that you really don't want.

Ok, where can you go for more information?

Here are a few places on the web to get more information on cookies. There are probably a lot of others, but this should get you started.

Cookie Central

Everything you ever wanted to know about cookies (not too technical).

Wikipedia article

Wikipedia on the HTTP state mechanism.

Persistent Client State - HTTP Cookies

The original preliminary Persistent Client State specification.