How does a cookie violate privacy?

Brian O'Byrne

To understand the problem, you have to understand where cookies are stored, and for how long.

Cookies come in two basic flavors, short-lived session cookies and long-lived stored cookies. Session cookies are cookies which are marked to be deleted as soon as the current browser session ends. These should never be written to disk, and are suitable for storing information about a current session on a particular website, including the user's identity and their access rights on the site. They should never be seen by any other process on the user's machine, or by any other website.
Unfortunately, browser implementations being what they are, session cookies can be written to the disk, and are sometimes sent to servers which should not see them. This means that other people can get access to a valid session cookie and impersonate you on that site. On jGuru, that would mean they would be able to change your bio, news postings, etc. On other sites they might be able to see your bank balance, read your email, ... you get the idea.

For stored cookies, the problem is that anyone could read the cookies files off your disk and know what sites you visited and when, and possibly what you did there.

This doesn't mean "Don't use cookies". Just be aware of the potential problems, and don't use cookies for anything that might make your readers mad if holes were exploited.
0 Comments  (click to add your comment)
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



About | Sitemap | Contact