I Want a Cookie

Old MVS mainframes were often plagued by a curious program which seemed to creep up out of nowhere. No matter where you were - ISPF, an ordinary command line, all of a sudden, out of the blue, you'd see the following line on your screen:

I want a cookie

Then, several minutes later, your 3270 would go down.

This went on and on until someone finally discovered all you had to do was reply:

Cookie

And the cookie monster went away.

That was a comparatively innocuous cookie.

Cookies were also found in classic UNIX, in /usr/games/fortune:

If everything's coming your way, you're in the wrong lane.

Stuff like that. Witty one-liners.

Today, cookie has a bad ring about it. Almost everyone has heard of them, but what are they exactly?

Cookies are small identifiers used by your web client and a remote server. When dealing with webmail accounts, they become essential. For almost all other activities, however, they become insidious.

Here is a typical cookie:

slashdot.org FALSE / FALSE 7704976778 user %4737%4730%4733%4736%4737

How the cookie works is server-dependent to an extent. Cookies might be specific only to the domain your web client is currently connected to or they might not. The easiest way to see what is going on is to set Netscape to warn you of all cookies before interacting with them. Netscape will tell you exactly where the cookies are coming from and where they are going. It's really amazing you ever get to download any HTML at all with all this activity going on.

The above Slash Dot cookie is used to identify a registered user. It correlates user identification with preference settings so that each time you visit the Slash Dot site you get your page layout the way you want it. As such, the Slash Dot cookie is a 'good' cookie.

But it could be used incorrectly as well. Most of the 'nasty' cookies are sent by banner advertisers. When your web client tries to display the image for the ad banner at the top of a web page, it is sent to a new URL for this image. The code logic at this new URL then places a cookie on your machine. Starting now you can be 'tracked'.

Not all cookies are hidden behind ad banners, however. Recently it was discovered that websites hide their tracking logic in the small 1x1 pixel 'spacer GIFs' used to align columns in HTML tables - what the media quickly dubbed 'web bugs' - and even more recently radsoft.net uncovered tracking logic in unused background images - 'web scuds'.

There are two possible attitudes to exercise when it comes to cookies in the short run: either ignore them and clean your cookie cache after each session, or make sure they're turned off and your web client will refuse to deal in them.

Cleaning a cookie cache with Netscape is easier than one might imagine: All you have to do is make your cookies.txt read-only. If ever you happen upon a 'benign' site with a cookie you really want in your cache, exit Netscape, take the read-only attribute off your cookie cache, fire up Netscape again, visit the same site (and that site only), get the cookie, exit Netscape, and mark your cookie cache once again read-only. It's a lot easier than it sounds.

Keeping a cookie cache clean with Internet Explorer is more difficult, because Microsoft doesn't want you to really understand what is going on or be able to take full control of it. The great advantage with Netscape is that your cookie cache is a plain text file which you can read at any time; the great disadvantage with Internet Explorer is that Microsoft has again obfuscated the most straightforward data for no reason at all, unless that reason be to keep you out of the know. A radical approach would otherwise be to completely obliterate your Cookies sub-directory after every session. There are ISV programs out there that claim they can clean this cookie cache and even read it for you, but this series won't go into any product reviews.

Suffice it to say that cookies can identify you. Once a remote server has placed a cookie on your machine, it - or anyone in contact with it - can identify you. They might not yet know who you are, but they know it's the same person. That's uncomfortable enough - but when they can actually get at your personal private identity - your name, social security number, etc. and correlate all this information to you - that's when it becomes really scary.

Next: GUIDs