• View
• Edit
• History
• Source
• Backlinks
• Set Attributes

• login

Cookie Hysteria is the irrational and erroneous belief that HTTP cookies on the World Wide Web are dangerous.

This is wrong for the following reasons:

• It is very important to remember that the server can only read cookies that it, itself, has set. A cookie set by vistua.com cannot be read by google.com, for instance, this is because cookies are sent by the browser, not retrieved by the server.
• Cookies are not computer programs of any kind or viruses and do not contain executable code and are isolated on the host system. Cookies do not alter the behavior of the browser, only of the server. Cookies are information and therefore non-actors.
• Cookies are limited in size, Firefox and other major browsers do not allow more than 50 cookies per server to be set and in practical terms, individual cookies could not exceed 4 kilobytes. Due to technical limitations of cookies, if a site is 4 kilobyte cookies it would become so sluggish as to be unusable.

Cross Site Tracking

Proviso: It is possible for a site to cause to be set a cookie outside of its domain by including an image from that domain. In this scenario, called "third party cookies" the server sending the image from the other domain sets and reads its own cookies. The server that sends the page that includes the image cannot actually read the third party cookie, or vice versa.

However, if these sites are operating in close cooperation, they could share data with each other by another mechanism. However, in this case, this is little different than if the site had set its own cookie. Typical uses for this are outsourcing arrangements (such as when a site uses a third party service for traffic analytics) and cross-domain authentication networks such as passport.net

If, however, the network of sites participating is very large, the operator of that network, such as the real-world networks of Google Analytics or Overture, could have statistical information about a large number of websites. This may or may not be a good thing.

In principal such a network could build up a profile of information about the user based on which sites he or she visits. This, again, may or may not be a good thing. The main purpose for doing this is to serve targeted advertisements. The main threat from this is if the analytics network has a security breach.

It isn't possible to identify the specific user except in the case of actual malfeasance, (I.E. you would have to tell a site in the network who you were, and the site would have to tell the network, neither of which actually happens). The analytics network only recognizes you a number.

Are Cookies Ever a Security Threat?

Yes. If your laptop is stolen, your cookies will reveal what sites you use, this may include information such as which bank you use. But then again... so does your browser history and you don't worry about that do you?