An HTTP cookie is a packet of information sent by a server to a World Wide Web browser and then sent back by the browser each time it accesses that server. HTTP cookies are used for user authentication, user tracking, and maintaining user-specific information (preferences, electronic shopping cart, etc.)
Cookies have been of concern for Internet privacy, since they can be used for tracking the browsing of a user. As a result, they have been subject to legislation in various countries such as the United States, as well as the European Union. Cookies have also been criticized because the identification of users they provide is not always accurate and because they can be used for network attacks.
On the other hand, cookies have also been subject to a number of misconceptions, mostly based on the wrong claim that they are programs, while they in fact are simple pieces of data, and are therefore unable to perform any operation by themselves. In particular, many Internet users have been reported to incorrectly consider cookies as a form of spyware or viruses, which are able to read or erase a users' hard disk (a misconception perhaps complicated by the detection of cookies from certain sites by anti-spyware programs). Most modern browsers allow users to decide whether to accept cookies, but rejection makes several Web sites unusable. For example, users' preferences or shopping baskets implemented using cookies do not work if cookies are rejected. Some alternatives to cookies exist, but have their own drawbacks.
Purpose
Cookies are used for realizing functions that are specific to a user. Cookies were introduced for realizing a virtual shopping basket where the user can place item to purchase. This way, a user can navigate a site where items are shown, adding or removing them from the shopping basket at any time.
Another use of cookies is for allowing users to log in a Web site. Users typically log in by inserting their credentials into a login page; cookies allow the server to know that the user is already authenticated, and is therefore allowed to access services or perform operations that are restricted to logged users.
Several Web sites also use cookies for personalization based on users' preferences. Sites that require authentication often use this feature, which is however also present on site not requiring authentication. Personalization include presentation and functionality. For example, the Wikipedia Web site allows authenticated users to decide the skin of pages; the Google search engine allows users (even non-registered ones) to decide how many hits per page they want to see.
Cookies are also used to track users across a Web site. Third-party cookies and Web bugs, explained below, also allows for tracking across multiple sites. Tracking within a site is typically done to the aim of producing usage statistics, while tracking across sites is typically used by advertising companies to produce anonymous user profiles, which is then used to target advertising (deciding which advertising image to show) based on the user profile.
Misconceptions
Since their introduction on the Internet, misconceptions about cookies circulate on the Internet and the media. In 2005, Jupiter Research published the results of a survey, according to which a consistent percentage of respondents believed some of the following claims:
- cookies are like worms and viruses (they can erase data from the user's hard disks)
- cookies are a form of spyware (they can read personal information stored on the user's computer)
- cookies generate pop ups
- cookies are used for spamming
- cookies are only used for advertising
Cookies are data, not code: they cannot erase or read information from the user's computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in an anonymous profile of the user. While such profiles do not contain personal information (name, address, etc.), they have been subject of some privacy concerns.
According to the same survey, a large percentage of Internet users are unable to delete cookies.