What is a cookie and how does it work?

HTTP protocol is implemented by two different programs. A client program and a server program. Both client and server programs are executed in different terminals. However, they communicate each other by exchanging HTTP messages.

HTTP, does not store any information about clients, so we call them stateless protocol. This situation, makes the server’s designing process easier, and has also let developers to build high performance web browsers which can handle multiple TCP connections. As a result, it is very crucial for a website to recognize users, because, maybe a web browser would like to limit user traffic or would like to provide content, based on user’s preferences.

Cookies technology consists of four components:

  1. A cookie header line in the response HTTP message
  2. A cookie header line in the request HTTP message
  3. A cookie file in user’s terminal which is managed by the web browser
  4. A support database for the website

Consider the following scheme. Let’s say that Bob accesses the web by using the Brave web browser. Bob would like to visit Amazon.com for the first time. When the request arrives Amazon web server, the server generates a unique id and store it in the support database. After that, Amazon’s web server, response to Bob’s web browser, including a Set-cookie header inside the HTTP response which contains the unique id.

For example, the line header could be: Set-cookie: 1853, where 1853 is the unique id.

When Bob’s web browser receives the HTTP response message, immediately reads the Set-cookie header. Then the web browser, appends a new line in the cookie file. This line includes the name of the web server and the id in the Set-cookie header. Note that the cookie file contains other entries from websites Bob has visited in the past. While Bob interacts with Amazon website, every time he asks for a new page, web browser consulted the cookie file, by extracting the id for this website and then by appending it in the HTTP response.

Every HTTP request to the server includes the line header: Cookie: 1853.

In this way, Amazon web server is able to monitor Bob’s activity in Amazon’s website. Notice that the server does not know Bob’s name. Even though, knows exactly which web pages user 1853 has visited.

Web services like Amazon, use cookies, so they can provide a “basket” service. These web services can maintain a list with all the purchases users would like to make.

In our case if Bob come back in Amazon’s website after a week, the web browser will keep adding the Cookie: 1853 header in the response messages. Amazon, also suggests different products to Bob, based on his previous visits in other Amazon’s web pages. If Bob register to Amazon website by giving his full name, email, address and credit card information, Amazon could include those data in its database and associate hem with his id. By using this method e-commerce web services provide the “one-click payment” service. When Bob decides to buy something, he would not need to provide again his personal information (name, address etc.).

Cookies can be used to identify a user. When a user visits a website for the first time, provides a unique user id (maybe the name). During the next visits, web browser uses a cookie header so the server can identify the user.

Although cookies make e-commerce easier for user, can be assumed that they violate the privacy. As we showed earlier, by using a combination of cookies and personal information such as name or email, we can create a user profile and maybe then sell it to someone else. You can find more information about cookie at Cookie Central.

Department of Electronics and Computer Science, University of Southampton