The Cookie Concept CSE 597 B Computational Issues

The Cookie Concept CSE 597 B Computational Issues in Ecommerce Sandip Debnath, Dr. C Lee Giles Dr. David Pennock Dr. Ingemar Cox Dr. Hongyuan Zha

The Outline (The Cookie Concept) • The cookie concept • The dark side • New technology or existing technology under attack • Cookies and Viruses • What went wrong • Discussion

The Cookie Concept (The Cookie Concept) • A piece of information generated by the web-server and stored in the client side ready for future access. A part of my. netscape directory’s cookie. txt file… ad 1. adcept. net FALSE /cgi-bin FALSE 1311304079 adcept_identifier zznkf. Gex. Sbfzh. Kumx. Dg 959 RBM. netscape. com TRUE / FALSE 1293840000 UIDC 130. 203. 30. 36: 0979150309: 904770. yahoo. com TRUE / FALSE 1271361600 B 215 d 03 gt 5 rqp 8&b=2. passport. com TRUE / FALSE 2145744001 MSPDom 2. hotmail. msn. com TRUE / FALSE 2145744000 HMP 1 1 br 2. americanexpress. com FALSE / FALSE 1137000056 Sane. ID 130. 203. 30. 38 --8842383120439 msn. co. uk FALSE / FALSE 1065265217 MC 1 V=2&GUID=f 6 ab 57 ca 5 eb 8447 d 982 eb 3 e 5 b 09 cfbd 5. msn. com TRUE / FALSE 1065294017 MC 1 V=2&GUID=F 6 AB 57 CA 5 EB 8447 D 982 EB 3 E 5 B 09 CFBD 5. doubleclick. net TRUE / FALSE 1920499194 id 80000005566 efd 0

The Cookie Concept (contd. ) (The Cookie Concept) • Cookies are embedded in HTML information flowing back and forth • Useful for user-side customization of the Web information • Usually transparent to the user • Procedure: • Storing the cookie: Web server creates the cookie and sends it to the client m/c. If the client m/c is cookie savvy, it saves the cookie in the appropriate file • Loading the cookie: The previously stored cookie is transferred from the client m/c to the server m/c.

The Cookie Concept (contd. ) (The Cookie Concept) • Java. Script: • function set. Cookie(name, value, expires, path, domain, secure) • function get. Cookie(name) • function delete. Cookie(name, path, domain)

The Cookie Concept (contd. ) (The Cookie Concept) • Java. Script: function set. Cookie(name, value, expires, path, domain, secure) { document. cookie = name + "=" +escape(value) + ( (expires) ? "; expires=" + expires. to. GMTString() : "") + ( (path) ? "; path=" + path : "") + ( (domain) ? "; domain=" + domain : "") + ( (secure) ? "; secure" : ""); }

The Cookie Concept (contd. ) (The Cookie Concept) • Java. Script: function get. Cookie(name) { var start = document. cookie. index. Of(name+"="); var len = start+name. length+1; if ((!start) && (name!=document. cookie. substring(0, name. length))) return null; if (start == -1) return null; var end = document. cookie. index. Of("; ", len); if (end == -1) end = document. cookie. length; return unescape(document. cookie. substring(len, end)); }

The Cookie Concept (contd. ) (The Cookie Concept) • Java. Script: function del. Cookie(name) { var expire. Now = new Date(); document. cookie = name + "=" + "; expires=Thu, 01 -Jan-70 00: 01 GMT" + "; path=/"; }

The Cookie Concept (contd. ) (The Cookie Concept) • CGI use CGI: : Cookie; # Create new cookies and send them $cookie 1 = new CGI: : Cookie(-name=>'ID', -value=>123456); $cookie 2 = new CGI: : Cookie(-name=>'preferences', -value=>{ font => Helvetica, size => 12 } ); print header(-cookie=>[$cookie 1, $cookie 2]); # fetch existing cookies %cookies = fetch CGI: : Cookie; $id = $cookies{'ID'}->value;

The Cookie Concept (contd. ) (The Cookie Concept) • Java Cookie public Cookie(String name, String value) Defines a cookie with an initial name/value pair. Names must not contain whitespace, comma, or semicolons and should only contain ASCII alphanumeric characters. Names starting with a "$" character are reserved by RFC 2109. Parameters: name - name of the cookie value - value of the cookie

The Cookie Concept (contd. ) (The Cookie Concept) • Java clone() Returns a copy of this object. get. Comment() Returns the comment describing the purpose of this cookie, or null if no such comment has been defined. get. Domain() Returns the domain of this cookie. get. Max. Age() Returns the maximum specified age of the cookie. get. Name() Returns the name of the cookie. get. Path() Returns the prefix of all URLs for which this cookie is targetted.

The Cookie Concept (contd. ) (The Cookie Concept) • Java get. Secure() Returns the value of the 'secure' flag. get. Value() Returns the value of the cookie. get. Version() Returns the version of the cookie. set. Comment(String) If a user agent (web browser) presents this cookie to a user, the cookie's purpose will be described using this comment. set. Domain(String) This cookie should be presented only to hosts satisfying this domain name pattern.

The Cookie Concept (contd. ) (The Cookie Concept) • Java set. Max. Age(int) Sets the maximum age of the cookie. set. Path(String) This cookie should be presented only with requests beginning with this URL. set. Secure(boolean) Indicates to the user agent that the cookie should only be sent using a secure protocol (https). set. Value(String) Sets the value of the cookie. set. Version(int) Sets the version of the cookie protocol used when this cookie saves itself.

The Dark Side (The Cookie Concept) • The entire transaction (storing and loading) is completely transparent to the user. • Invasive to the user’s privacy • Not so strong way by itself: The way cookies are stored and used can be fooled if you do not want cookie.

New technology or existing technology under attack (The Cookie Concept) • A new proposal to IETF, Microsoft, Netscape asked to enforce the limit of persistent cookies as well as providing an option to users to select which cookies to accept. • Warning before accepting any cookies. • Doubleclick, Focalink, Global. Track, ADSmart, will be jeopardized if cookie is stopped.

Cookies and Viruses (The Cookie Concept) • Cookie can not be a danger as it is stored as a normal text based file • Cookie files are only “readable, writable”, not “executable”. • Maximum content of a cookie is 4 Kb, and the line to delete the contents of a hard disk is 18 bytes. • In Unix the command is: $> /bin/rm –rf / • In DOS/Windows c: > rd /S /Q c: * • So virus could create problem (theoretically), but has not been seen yet

What went wrong (The Cookie Concept) • Introduced for good reason: Helping users access their favorite web sites easily from the second time onwards. • Sometimes used by unscrupulous entities for other reasons: It happened that some marketing firms tried to use this to access private information for advertising campaigns.

Discussion (The Cookie Concept) ? ? ?