A cookie is a piece of text information that can be stored in the browser on the user’s computer about a website visited. A cookie is generated by the web server and sent to the browser via the Hypertext Transfer Protocol (HTTP). The browser stores the cookie and, as long as it is not deleted, transmits it back to the web server each time a page is accessed. A cookie can also be generated and read by the website via JavaScript.
Cookies are used to enable stateful web applications, for example, to store the login including the user-specific settings of a website or the shopping cart at an online retailer. This is implemented by storing a session identifier in the cookie, which allows a website to assign the user to a session stored on the server. Another purpose is user tracking for advertising purposes with specially prepared pages. The use of cookies for the analysis of user behavior and for advertising purposes requires the user’s consent.
In data protection, the term cookie is also used as a synonym for data extraction, data storage, data use, data utilization, data transfer and data misuse, regardless of whether an HTTP cookie is actually used for this purpose or other techniques are used.
---
A cookie consists of a name and a value. When defining a cookie, one or more attributes can or must also be specified. The attribute is intended to prevent access to cookies using JavaScript. Cookies that have the attribute cannot be accessed via JavaScript. This is a possible protection against cross-site scripting, as long as the browser used supports this attribute. According to RFC 6265, a browser should support the following minimum sizes:
- A cookie should be able to contain at least 4096 bytes.
- It should be possible to store at least 50 cookies per domain.
- A total of at least 3000 cookies should be able to be stored.
The minimum sizes must be guaranteed by all participating browsers and servers. However, the specification does allow for larger cookies or a larger number of cookies.
How it Works
There are two ways in which a website can transmit, assign and evaluate cookies:
- Transmission in the headers of requests and responses via HTTP. Cookies are created in the client when a cookie line is transmitted in addition to other HTTP headers in the server’s response when it accesses a web server.
- In addition, a cookie can be generated locally by JavaScript or other scripting languages. The script is located in the web page submitted by the server.
The local cookies of the same domain – i.e. not of other websites – can be read, used and modified. For example, JavaScript can be used to incorporate information about local user activities that occurred during the session without further server contact. The next time you contact the website, they will also be transferred there in the HTTP headers.
Cookie information is stored locally in the browser, usually in a cookie database. Upon subsequent access to the web server, the client browser searches for all cookies from this domain that match the web server and the directory path of the current call. This cookie data is transmitted in the header of the HTTP access, so that the cookies may only be returned to the web server from which they once originated.
A cookie can contain any text, i.e. it can store arbitrary settings locally in addition to pure identification, but its length should not exceed 4 kilobytes in order to remain compatible with all browsers. Cookies are transmitted with any file submitted, including image files or any other type of file; this applies in particular to embedded elements such as advertising banners that are embedded by servers other than the origin of a displayed HTML file. For example, a single website can lead to multiple cookies that come from different servers and are sent back to them.
Cookies are managed exclusively by the client. Thus, the client decides whether, for example, a cookie is stored or deleted after the desired lifetime of the web server. However, corresponding information can also be stored on the server, for example to generate statistics on the number of visits to websites.
Application
HTTP is a stateless protocol, so the page views are independent of each other for the web server. A web application whose interaction with the user lasts over several page views must work with tricks to be able to identify the participant across multiple accesses. For this purpose, a unique session identifier can be stored in a cookie by the server in order to recognize exactly this client on subsequent calls. For security reasons, electronic banking tends to use one one-time token per page view.
Online stores may use cookies to collect goods in virtual shopping carts. The customer can use it to add items to the shopping cart and continue to browse the website in order to then buy the items together. The identification of the user’s shopping cart or session is stored in the cookie, and the article identifiers are assigned to this shopping cart or session on the user’s web server. This information is only evaluated on the server side when the order is placed.
To ensure that user actions and inputs intended for the server are not lost in the event of a connection to the server (e.g. in mobile networks), cookies can be used for caching in web applications. When the connection is restored, they are queried by the server. The web application recognises the order in which the cookies were generated and marks cookies that have already been processed or deletes their content. Because this use may generate a large number of cookies, which are deleted at the earliest when the browser is closed, but the browser’s storage space for cookies is limited, the web application must take precautions against cookie overflow.
