Tracking cookie is a piece of data that stores information on User's
PC by their browser. A cookie can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, or anything else that can be accomplished through storing text data. A cookie consists of containing bits of information, which may be encrypted for information privacy and data security purposes. The cookie is sent as an HTTP header by a web server to a web browser and then sent back unchanged by the
browser each time it accesses that server. They are nor Viruses but they can be used as
Spyware to steal information. They are stored in \Documents and Settings\[User name]\Cookies folder.
Use of cookies :
- Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example username gets auto filled in future.
- We can personalize a web page by stating the preferences in a webpage which are reframed as cookies, with same preferred encrypted data, by the server and are sent back to us.
- They are used for session management like they may be used to maintain data related to the user during navigation, possibly across multiple visits.
- They are helpful in filling a shopping cart
- They are used for tracking sites to know user's interests.
Risk with Cookies:
Tracking cookies can be used to track sites to know their habits, interests. Tracking within a site is typically used to produce usage statistics, while tracking across sites is typically used by advertising companies to produce anonymous user profiles which are then used to determine what advertisements should be shown to the user. It results in
Adware,
Fake Spyware, Crimeware etc.
Types of Cookies:
Session Cookie:
A session cookie only lasts for the duration of users using the website. A session cookie will expire if a user closes his/her browser, or if a user hasn't visited the server for certain period of time (called session idle timeout), and the server would expire/invalidate the user session..
Persistent Cookie
A persistent cookie will outlast sessions. If a persistent cookie has time set to 1 year, then, within the year, the initial value set in that cookie would be sent back to server every time the user is visiting the server. This could be used to record a vital piece of information on how the user initially came to this website. For this reason, persistent cookie is also called tracking cookie.
Secure Cookie:
A secure cookie is only used when a browser is visiting a server via HTTPS, that will make sure that cookie is always encrypted when transmitting from client to server, and therefore less likely to be exposed to Man-in-the-middle attack.
HttpOnly Cookie:
On a supported browser, a HttpOnly cookie will only be used when transmitting HTTP (or HTTPS) requests, but the cookie value is unavailable to JavaScript. This will effectively thwart Cross-site scripting if the cookies required to perform critical actions are all HttpOnly.