Re: LYNX-DEV Cookies

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV Cookies

From:	Jim Dennis
Subject:	Re: LYNX-DEV Cookies
Date:	Mon, 30 Jun 1997 00:34:13 -0700

>    Dear Ladies and Gentlemen,
>    
>    Given the previous discussion about cookies, could someone explain to me
> (or point out a topic in help, URL, etc.) just what ARE cookies?

        Search the Netscape web site.  

        Here's an independent answer courtesy of "The Answer Guy" (Linux
        Gazette's nickname for me):

                In programming terminology -- specifically in 
                discussions of networking protocols (such as 
                HTTP and X Windows) a "cookie" is an arbitrary
                data token issued by a server to a client for 
                purposes of maintaining state or providing 
                identification.

                Specifically "Netscape HTTP Cookies" are an 
                extension to the HTTP protocol (implemented
                by Netscape and proposed to the IETF and the W3
                Consortium for incorporation into the related 
                standards specifications).

                HTTP is a "stateless" and protocol.  When your browser
                initiates a connection and requests a document, binary
                or header the server has no way of distinguishing your
                request from any other request from your host (it doesn't
                know if you're coming from a single-user workstation, or
                a multi-user Unix (or VMS, MVS, MPE, or whatever) host --
                or the IP address that it sees as the source for this 
                request is some sort of proxy host or gateway (such as 
                those run by CompuServe and AOL).

                Netscape cookies are an attempt to add and maintain state
                between your browser and one or more servers.  Basically 
                on your initial connection to a "cookie generating" site
                your browser is asked for a relevant cookie -- since this 
                is your initial connection there isn't one -- so the server
                profers one to your browser (which will accept it unless
                it's not capable of them, or some option has been enabled
                to prevent it or prompt you or something like that).  From
                then on all other parts of that site (and possibly other 
                hosts in that domain) can request your cookie and the site's
                administrators can sort of track your access and progress
                through the site.

                The main advantage to the site is for gathering marketing
                statistics.  They can track which versions of a web page
                lead to increased traffic to linked pages and they can 
                get some idea how many new and repeat visits they're getting.
                (Like most marketing efforts at statistics there are major
                flaws with the model -- but the results are valid enough
                for marketdroids).

                There are several disadvantages -- including significant
                privacy concerns.  There are several tools available
                to limit the retension and use of cookies by your browser
                (even if you're using Netscape Navigator).  PGP Inc
                (the cryptography company) has a link on their site to 
                one called "cookie cutter" (or something like that).

                About the only advantage to some users is that some
                sites *might* use cookies to help you skip parts of the
                site that you've already seen or *might* allow you to 
                avoid filling in forms that you've already filled out.

                Personally I think cookies are a poorly chosen way to 
                do this -- client-side certificates (a feature of 
                SSL v. 3.x) is a much cleaner method (it allows the user
                to get an maintain cryptographically strong "certificates"
                which can be presented to specific servers on demand --
                this exchange of certificates involves cryptographic
                authentication in both directions -- so your browswer 
                knows it isn't authenticating to some bogus imposter
                of a server -- and the server knows that your certificate
                isn't forged.

                SSL client certificates allow you to establish accounts
                at a web site and securely interact with that site.  
                Cookies can't do that.  In addition many people have a
                vague notion that "cookies" where "snuck in" under them
                -- so they have a well-deserved "bad press."
    
>    Sincerely,
>    Michael Sokolov

--
Jim Dennis,                                address@hidden
Proprietor,                          address@hidden
Starshine Technical Services              http://www.starshine.org

        PGP  1024/2ABF03B1 Jim Dennis <address@hidden>
        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A 
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

[Prev in Thread]

Current Thread

[Next in Thread]

LYNX-DEV Cookies, Michael Sokolov, 1997/06/28
- Re: LYNX-DEV Cookies, Jim Dennis <=
  - Re: LYNX-DEV Cookies, Larry W. Virden, x2487, 1997/06/30

Prev by Date: LYNX-DEV centering tables
Next by Date: Re: LYNX-DEV centering tables
Previous by thread: LYNX-DEV Cookies
Next by thread: Re: LYNX-DEV Cookies
Index(es):
- Date
- Thread