RU beehive logo ITEC dept promo banner
ITEC 325
2020fall
ibarland

cookies
chapter 9

youtube (15m09s):

Http is stateless. Each http request is independent of all others. The server doesn't view its interactions as a bunch of phone calls; rather each http-request is a post-card. There is no inherent way of knowing, when reading a postcard, what previous postcards it may be referring to.

One solution is that the person sending the postcard (the client) includes a “re-cap”, reminding the recipient (the server) who they are, as well as anything else that they've already agreed upon. That's a cookie!

Of course, the recipient needs be wary of whatever the sender claims was previously agreed-upon. We'll (help) address that issue with sessions, next lecture. In particular, we'll use sessions that are based on cookies.

Summary: Cookies.

Cookie Details

Third party cookies

youtube (12m18s):

Example:
Remember, (hosted) images are often stored on a different server than the page's text/html data. Cookies can be set on any http request, including retrieving images!

This doesn't seem too bad — as written, lotofbanners.com doesn't actually know who you are, just that the same person viewing the current banner has previously seen certain other banners. But this can be leveraged: If they name their banners “qwerty-for-cia.jpeg” and “qwerty-for-mediawiki.jpeg” and so on, then they can now know, out of all this sites they give banners for, which of those sites you've visited (and when).

Note that separately, just knowing a large chunk of browser history can be suprisingly specific, when you include specific-amazon-products-looked-at, which takeout-restaurant-phone-numbers you're looking up, what political-candidate-webpages you're viewing, and what medical-info-pages you look at — from this it is a not-unreasonable-step that one could conceviably narrow down, with decent confidence, somebody's neighborhood, diseases, how they vote, and what their favorite pizza topping is.

BUT, it would require a single company to be hosting banners/ads for lots and lots of different companies, so perhaps this isn't too big a worry? Well, one last thought: huge numbers of websites outsource to google-analytics, to get info about usage. These google-third-party cookies can be combined with the exact google searches you make and your gmail contents, which can give that company a vast trove of highly specific information. It's a good thing they use their power for good only! (… until NSA gives a court-order, or just plain steals the data from wiretaps placed on intercontinental data trunks, or a hacker-or-disgruntled-employee gets access to their database, …).


1 Kinda like emails that include/repeate/quote the entire preceding thread.      
2 Although php's setcookie is given a timestamp, the representation actually in the http packet can be a formatted date string. So there isn't any Y2K38 problem in http.      

logo for creative commons by-attribution license
This page licensed CC-BY 4.0 Ian Barland
Page last generated
Please mail any suggestions
(incl. typos, broken links)
to ibarlandradford.edu
Rendered by Racket.