Cookies & Privacy
1Copyright 2012-2021 Ellis Horowitz
Overview
• What is a Cookie? Basic Facts
• Working with Cookies: Code &
Demo
• Cookie based Marketing
• Cookies, Privacy & Legislation
• Conclusion
2Copyright 2012-2021 Ellis Horowitz
3Copyright 2012-2021 Ellis Horowitz
“Google has been bypassing the privacy settings of millions of people using Apple’s
Safari web browser on their iPhones and computers – Tracking the web-browsing habits of
people who intended for that kind of monitoring to be blocked.”Wall Street Journal, Feb.
17, 2012
“Google to pay $22.5 million fine for Safari privacy evasion”, CNN Money, July 11, 2012
[largest penalty ever levied on a single company by the FTC]
What is a Cookie?
• Short pieces of text generated during web activity
and stored in the user’s machine by the user’s web
browser for future reference
• Cookies are created by website authors who write
software for reading and writing cookies
• Cookies were initially used so websites would
remember that a user had visited before, allowing
customization of sites without need for repeating
preferences
• The official 1997 specification for cookies, from
Bell Labs, Lucent & Netscape, can be found at:
https://tools.ietf.org/html/rfc2109
4Copyright 2012-2021 Ellis Horowitz
https://tools.ietf.org/html/rfc2109
Copyright 2012-2021 Ellis Horowitz 5
Elements of a Cookie
• A cookie is associated with a website’s domain
and contains name, value, path, and expiration
date
• For example, here is one that was placed on my
machine from research.google.com
– Name: _utma
– Content: 180832036.353394603.1325873813.1325873813.1329750652.2
– Domain: .research.google.com
– Path: /
– Created: Monday, February 20, 2012 7:12:45 AM
– Expires: Wednesday, February 19, 2014 7:12:45 AM
• Such cookies are sometimes referred to as HTTP
cookies because they are placed there using the HTTP
protocol as the delivery mechanism
Cookie Scope: What They Can Do
• Store and manipulate any information you
explicitly provide to a site
• Track your interaction with the site such as
pages visited, time of visits, number of visits
• Use any information available to the web server
including: your IP address, Operating System,
Browser Type
6Copyright 2012-2021 Ellis Horowitz
Cookie Scope: What They Cannot Do
• Have automatic access to Personal Identifiable
Information (PII) like name, address, email
• Read or write data to disk
• Read or write information in cookies placed by
other sites
• Run programs on your computer
• As a result, they
– Cannot carry viruses
– Cannot install malware on the host computer
7Copyright 2012-2021 Ellis Horowitz
Finding Cookies in Your Chrome Browser
Copyright 2012-2021 Ellis Horowitz 8
Browsers store their cookies in their own format and files.
In Chrome
Customize > Settings > Privacy and security > Cookies and
other site data -> See all cookies and site data > Search
cookies
Search cookies
Finding Cookies in Your Firefox Browser
Copyright 2012-2021 Ellis Horowitz 9
In Firefox
Open Application Menu > Settings > Privacy & Security >
Browser Privacy > Cookies and Site Data > Manage Data… >
Search websites
Here are the
Firefox settings
for handling
cookies Manage Data…
Finding Cookies in Your Safari Browser
Copyright 2012-2021 Ellis Horowitz 10
In Safari
Safari menu > Preferences… > Privacy > Manage Website
Data… > Search
Other Google Property Cookies
Copyright 2012-2021 Ellis Horowitz 11
Doubleclick Cookies YouTube cookies
Doubleclick and YouTube are two companies owned and operated by
Google; Doubleclick cookies are referred to as 3rd party cookies
because the user never actually visits the Doubleclick site
Sample Chrome Cookie Storage
Copyright 2012-2021 Ellis Horowitz 12
For example, google.com has
stored many cookies on this
browser:
plus.google.com
plusone.google.com
productformums.google.com
research.google.com
support.google.com
talkgadget.google.com
wallet.google.com
www.google.com
And many other
Sample Firefox Cookie Storage
Copyright 2012-2021 Ellis Horowitz 13
For example, google.com has
stored many cookies on this
browser:
accounts.google.com
google.com
mail.google.com
plus.google.com
plusone.google.com
etc.
Cookie Types and Taxonomy
• By Lifespan
– Session Cookies (stored in RAM)
– Persistent Cookies (stored on disk)
• By Read-Write Mechanism
– Server-Side Cookies (included in HTTP Headers)
– Client-Side Cookies (manipulated with JavaScript)
• By Structure
– Simple Cookies
– Array Cookies
• Session cookies exist only while the user is reading and
navigating the website; browsers normally delete session
cookies when the user exits the browser
• Persistent cookies, also known as tracking cookies have an
expiration date
• Secure cookies have the secure attribute enabled and are
only used via https, so the cookie is always encrypted
• Third-party cookies are not from the “visited” site
14Copyright 2012-2021 Ellis Horowitz
Third Party Cookies
• Third party cookies are cookies set with a different domain than
the one in the browser’s address bar
– These cookies may be placed by an advertisement on the page or
an image on the page
– RFC 6265 allows browsers to implement whatever policy they
wish regarding third party cookies
• https://tools.ietf.org/html/rfc6265
– Advertisers use third party cookies to track a user across
multiple sites
• A user visits www.site1.com which sets a cookie with
domain ad.adtracking.com; later the same user visits
www.site2.com which also sets a cookie with domain
ad.adtracking.com; Eventually both cookies will be sent to
the advertiser, that will match them
• Wikipedia has a nice description of cookies, see
http://en.wikipedia.org/wiki/HTTP_cookie
• Google Chrome will kill support for 3rd party cookies in 2023, see
https://www.cnbc.com/2020/01/14/google-chrome-to-end-
support-for-third-party-cookies-within-two-years.html
Copyright 2012-2021 Ellis Horowitz 15
https://tools.ietf.org/html/rfc6265
http://en.wikipedia.org/wiki/HTTP_cookie
https://www.cnbc.com/2020/01/14/google-chrome-to-end-support-for-third-party-cookies-within-two-years.html
Cookie Processing Algorithm
1. A URL is requested, (either by entering one into the
address field or clicking on a link)
2. The browser scans its Cookie database for any cookies
whose domain and path matches the requested URL
3. If any are found, all the cookies are sent along with
the request as part of the HTTP headers (value of
Cookie)
4. The server-side programs may/may not make use of any
cookies from the client to determine what page to return
5. The server-side program may generate one (or more)
cookies and send them along with the requested page;
cookies are included in the HTTP headers returned to the
browser (value of Set-Cookie)
6. The browser stores any new cookies into its database;
cookies can be accessed on the client using the
document.cookie object in JavaScript
Copyright 2012-2021 Ellis Horowitz 16
Cookie Processing Example
https://www.google.com/?gws_rd=ssl
GET /?gws_rd=ssl HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Cache-Control: max-age=0
HTTP/2.0 200 OK
Date: Mon, 29 Feb 2016 22:02:31 GMT
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: gws
Set-Cookie: NID=77=AITJ83oyT_0OAB8c4ogH1JKOxUwf3w9SMg5tcZUjnqq_3mKK1AQTMPPIET1Q2FL1jaKpK-NFJ_v-HT469S0DKl5SYn6Ct_1bGdn0xbbU-
dLABnqUDneClbdgsG1iFcKqZdfur3w9nN3VyQ; expires=Tue, 30-Aug-2016 22:02:31 GMT; path=/; domain=.google.com; HttpOnly
———————————————————-
https://www.google.com/images/hpp/ic_wahlberg_product_core_48.png8.png
GET /images/hpp/ic_wahlberg_product_core_48.png8.png HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=77=AITJ83oyT_0OAB8c4ogH1JKOxUwf3w9SMg5tcZUjnqq_3mKK1AQTMPPIET1Q2FL1jaKpK-NFJ_v-HT469S0DKl5SYn6Ct_1bGdn0xbbU-
dLABnqUDneClbdgsG1iFcKqZdfur3w9nN3VyQ
Connection: keep-alive
If-Modified-Since: Wed, 09 Sep 2015 23:04:49 GMT
HTTP/2.0 304 Not Modified
Date: Mon, 29 Feb 2016 22:02:32 GMT
Expires: Mon, 29 Feb 2016 22:02:32 GMT
Last-Modified: Wed, 09 Sep 2015 23:04:49 GMT
Server: sffe
Copyright 2012-2021 Ellis Horowitz 17
Additional Facts About Cookies
• Scope: by default, cookie scope is limited to all URLs
on the current host name. Scope may be limited with the
path= parameter to specify a specific path prefix to
which the cookie should be sent, or broadened to a group
of DNS names, rather than single host only, with
domain=.
• Time to live: by default, each cookie has a lifetime
limited to the duration of the current browser session.
Alternatively, an expires= parameter may be included to
specify the date at which the cookie should be dropped
• Overwriting cookies: if a new cookie with the same NAME,
domain, and path as an existing cookie is encountered,
the old cookie is discarded
• Deleting cookies: There is no specific mechanism for
deleting cookies, although a common hack is to overwrite
a cookie with a bogus value as outlined above, plus a
backdated or short-lived expires=
• “Protected” cookies: as a security feature, some cookies
set may be marked with a special secure keyword, which
causes them to be sent over HTTPS only
18Copyright 2012-2021 Ellis Horowitz
Copyright 2012-2021 Ellis Horowitz 20
Client-Side Cookies
• JavaScript has a property of the document
object named cookie:
document.cookie
• This is a string variable that can be read and
written using the JavaScript string functions
• A cookie can be removed from the cookie
database either because it expires or because
the cookie file gets too large
– browsers need not store more than 300
cookies, nor more than 20 cookies per web
server, nor more than 4K per cookie
• Setting document.cookie creates a new cookie
for the web page
• Reading document.cookie retrieves all defined
cookies (array)
Copyright 2012-2021 Ellis Horowitz 21
escape(s) and unescape(s)
• Cookie ‘values’ should not contain white space, brackets,
parentheses, equals signs, commas, double quotes, slashes,
question marks, at signs, colons, and semicolons
– Cookie values are encoded into their hex equivalents
• escape() and unescape() functions are properties of the
“global object”
– https://developer.mozilla.org/en-US/docs/Glossary/Global_object
• escape(s) returns a new version of string ‘s’ that is
encoded
– all spaces, punctuation, accented characters, and other non-ASCII
letters or numbers are converted to %xx format (ISO-8859-1)
– https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/escape
• unescape(s) returns a new version of string ‘s’ that is
decoded
– all %xx are replaced by their character equivalent
– https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/unescape
Copyright 2012-2021 Ellis Horowitz 22
Test of escape( ), unescape( )
function printout(x) {
document.write("
")" )}document.write("Original input = " + x + "
") document.write("escape() of input = " + escape(x) + "
")document.write("unescape() of input = " + unescape(x) + "
")document.write("