In data protection, the term cookie is also used as a synonym for data extraction, data storage, data use, data utilization, data transfer and data misuse, regardless of whether an HTTP cookie is actually used for this purpose or other techniques are used.
- A cookie should be able to contain at least 4096 bytes.
- It should be possible to store at least 50 cookies per domain.
- A total of at least 3000 cookies should be able to be stored.
The minimum sizes must be guaranteed by all participating browsers and servers. However, the specification does allow for larger cookies or a larger number of cookies.
How it Works
There are two ways in which a website can transmit, assign and evaluate cookies:
- Transmission in the headers of requests and responses via HTTP. Cookies are created in the client when a cookie line is transmitted in addition to other HTTP headers in the server’s response when it accesses a web server.
Cookie information is stored locally in the browser, usually in a cookie database. Upon subsequent access to the web server, the client browser searches for all cookies from this domain that match the web server and the directory path of the current call. This cookie data is transmitted in the header of the HTTP access, so that the cookies may only be returned to the web server from which they once originated.
A cookie can contain any text, i.e. it can store arbitrary settings locally in addition to pure identification, but its length should not exceed 4 kilobytes in order to remain compatible with all browsers. Cookies are transmitted with any file submitted, including image files or any other type of file; this applies in particular to embedded elements such as advertising banners that are embedded by servers other than the origin of a displayed HTML file. For example, a single website can lead to multiple cookies that come from different servers and are sent back to them.
Cookies are managed exclusively by the client. Thus, the client decides whether, for example, a cookie is stored or deleted after the desired lifetime of the web server. However, corresponding information can also be stored on the server, for example to generate statistics on the number of visits to websites.
HTTP is a stateless protocol, so the page views are independent of each other for the web server. A web application whose interaction with the user lasts over several page views must work with tricks to be able to identify the participant across multiple accesses. For this purpose, a unique session identifier can be stored in a cookie by the server in order to recognize exactly this client on subsequent calls. For security reasons, electronic banking tends to use one one-time token per page view.
To ensure that user actions and inputs intended for the server are not lost in the event of a connection to the server (e.g. in mobile networks), cookies can be used for caching in web applications. When the connection is restored, they are queried by the server. The web application recognises the order in which the cookies were generated and marks cookies that have already been processed or deletes their content. Because this use may generate a large number of cookies, which are deleted at the earliest when the browser is closed, but the browser’s storage space for cookies is limited, the web application must take precautions against cookie overflow.