Cookie were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.
Other kinds of Cookie perform essential functions in the modern web. Perhaps most importantly, Authentication cookie are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with.
Without such a Authentication Method, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in.
The security of an Authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a Cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the Cookie belongs (see cross-site scripting and cross-site request forgery for examples).
The Tracking Cookie, and especially third-party tracking Cookie, are commonly used as ways to compile long-term records of individuals' browsing histories – a potential privacy concern that prompted European and U.S. law makers to take action in 2011. European law requires all websites targeting European Union member states gain "Informed Consent" from users before storing non-essential Cookie on their device.Privacy Considerations, cookies also have some technical drawbacks. In particular:
- Cookie do not always accurately identify users
- Cookie can be used for by attackers
- Cookie are often at odds with the Representational State Transfer (REST) software architectural style.
Inaccurate Identification#If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence a Cookie does not identify a person, but a combination of a user account, a computer, and a web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.
Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.state as stored in the Cookie.
As an example, if the shopping cart of an online shop is built using cookies, the content of the cart may not change when the user goes back in the browser's history: if the user presses a button to add an item in the shopping cart and then clicks on the "Back" button, the item remains in the shopping cart. This might not be the intention of the user, who possibly wanted to undo the addition of the item. This can lead to unreliability, confusion, and bugs. Web developers should therefore be aware of this issue and implement measures to handle such situations.
More Information#There might be more information for this subject on one of the following:
- Access Proxy
- Anonymous Identity
- Authentication cookie
- Authorization Header
- Chrome Custom Tabs
- Cross-site request forgery
- Delegation vs Impersonation
- Identity Correlation
- JWT Authentication
- OAuth 2.0 Bearer Token Usage
- OAuth state parameter
- OpenID Connect Back-Channel Logout
- OpenID Connect Front-Channel Logout
- Password Anti-Pattern
- Remember Me
- SAML V2.0
- Same Origin Policy
- Same-site Cookies
- Security Token
- Session ID
- Shared Secret
- Token Binding Protocol
- Token Binding over HTTP
- Tracking Cookie
- Web Blog_blogentry_180317_1