- Cookies allow a server to recognize a user between
- Server can save information about a user's surfing
behaviour such as which pages a user searched for or what a user bought
through the Internet.
- This is however restricted, since a server only can
see what the user has done on that particular server.
- But servers can co-operate to combine their information.
Most well-known is the co-operation between servers and the company
Doubleclick, which has a very high percentage of all Internet advertisiming,
gets info from many different web servers, and can combine this to make
a profile of a user.
- Doubleclick says they only use this to send user-adjusted
advertisements, but can we trust them? If a user fills in name and e-mail
address, the server can combine this with other cookie-produced knowledge
to know who you are. A spam e-mail may also contain a hidden HTTP retrieval,
which will send your e-mail address and cookie to a server.
- If several people share the same computer one might
get access to information for the other user. Someone who can get access
to your computer (physically, using viruses, etc.) can read your cookie-file,
which may contain sensitive information. This risk, of course, is not
limited to cookies but to other sensitive information, such as passwords
which a user might store, history files in web browsers, etc. Cookies
can also contain sensitive information in clear text which someone who
eavesdrop on your connections can read.
- These risks can be reduced using different techniques.
Examples are to let users see what is stored in their cookies, let them
control who can set cookies for them, and how long time the cookies
are valid. A fifteen-minute cookie is obviously less dangerous than
a cookie with unlimited life-time, which in practice is about three