How do cookies work?

Question

I want to know all the possible uses of cookies. Are they good or bad? How do they work?

Some Best Practices I collected so far-

Use Cookie-free Domains for Components

tag: cookie

When the browser makes a request for a static image and sends cookies together with the request, the server doesn't have any use for those cookies. So they only create network traffic for no good reason. You should make sure static components are requested with cookie-free requests. Create a subdomain and host all your static components there.

If your domain is www.example.org, you can host your static components on static.example.org. However, if you've already set cookies on the top-level domain example.org as opposed to www.example.org, then all the requests to static.example.org will include those cookies. In this case, you can buy a whole new domain, host your static components there, and keep this domain cookie-free. Yahoo! uses yimg.com, YouTube uses ytimg.com, Amazon uses images-amazon.com and so on.

Another benefit of hosting static components on a cookie-free domain is that some proxies might refuse to cache the components that are requested with cookies. On a related note, if you wonder if you should use example.org or www.example.org for your home page, consider the cookie impact. Omitting www leaves you no choice but to write cookies to *.example.org, so for performance reasons it's best to use the www subdomain and write the cookies to that subdomain.

Implementation Limits

Practical user agent implementations have limits on the number and size of cookies that they can store. In general, user agents' cookie support should have no fixed limits. They should strive to store as many frequently-used cookies as possible. Furthermore, general-use user agents SHOULD provide each of the following minimum capabilities individually, although not necessarily simultaneously:

* at least 300 cookies
* at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header)
* at least 20 cookies per unique host or domain name

User agents created for specific purposes or for limited-capacity devices SHOULD provide at least 20 cookies of 4096 bytes, to ensure that the user can interact with a session-based origin server.

The information in a Set-Cookie2 response header MUST be retained in its entirety. If for some reason there is inadequate space to store the cookie, it MUST be discarded, not truncated. Applications should use as few and as small cookies as possible, and they should cope gracefully with the loss of a cookie.

Answer 1

For the specification, see RFC2965 - HTTP State Management Mechanism.

Answer 2

Cookies are used to store small pieces of infomation in the browser. These cookies can be read/write by the webserver, but cookies can also change by the user in the browser which can be a security issue.

Answer 3

What are Cookies ?

Cookies are small chunk of harmless data or information that websites can store on computers from where it was accessed.

Are they good or bad ?

No Cookies are not at all bad and they are harmless. Cookies are just a piece of data. You have a friend's number written in a text-file, Is that harmful ?

How do cookies work ?

Cookies written by one website cannot be accessed by another website. Most general use of cookies is to identify the returning users on the same website. Whenever you login to a website, your session details are tracked in the cookies in the browser for that website. If you have told the website to "Remember You next time" then the website can identify you from the cookies written to your browser in the previous or earlier sessions. It is also important to note that cookies are browser specific and have no life across multiple browsers on the same machine.

Ex: If you login to your Yahoo account from Firefox and check "Remember me", and then if you open internet explorer or some other browser other than firefox and goto Yahoo, It will not identify you and force you to login again. This is by nature since cookies are stored per website per browser on your computer.

Answer 4

Is a knife good or bad :) Simplified explanation: a webserver send a bit of text to the client. This has additional an origin (who sent it) and a "Life span" (how long shall it persist at the client).

Depending on your settings (Browser security) your browser stores this "Text file". When you contact the server (site) later again your browser send the cookie up to the server.

Easy example: I let you choose the font size on my site (small medium large). When you choose your size I (the server) send you a cookie. Next time you visit I ask if this cookie is there - if so I set the font size depending on the cookie content.

There is also security behind cookies - a cookie is only sent to the issuer for an example.

Manfred

Answer 5

A good explanation is available at: http://en.wikipedia.org/wiki/HTTP_cookie

It is basically a part of the HTTP protocol that stores a small token in your browser to identify you when you go back to the website that stored the token in the first place.

They are used for a wide range of things, like logging into website to tracking your browsing habits.