User-Server Interaction: Cookies

User-Server Interaction: Cookies

We cited above that an HTTP server is stateless. This makes server design simpler and has allowed engineers to develop high-performance Web servers that can manage thousands of simultaneous TCP connections. Nevertheless, it is frequently desirable for a Web site to identify users, either because the server wishes to confine user access or because it wants to serve content as a function of the user identity. For these purposes, HTTP uses cookies, Cookies, defined in RFC 2965, permit sites to keep track of users. Most major commercial Web sites use cookies nowadays.

As demonstrated in Figure 1, cookie technology has four elements: (1) a cookie header line in the HTTP response message; (2) a cookie header  line in the HTTP request message; (3) a cookie file kept on the user's end system and managed by the user's browser: (4) a back-end database at  the Web site. Using Figure 1, let's walk through an instance of how cookies work. Assume Susan, who always accesses the Web using Internet Explorer from her home PC, contacts for the first time. Let us assume that in the past she has already visited the eBay site. When the request comes into the Amazon Web server, the server makes a unique identification number and makes an entry in its back-end database that is indexed by the identification number. The Amazon Web server then responds to Susan's browser, including in the HTTP response a Set-cookie: header, which includes the identification number. For instance the header line might be:

Set-cookie: 1678

When Susan's browser receives the HTTP response message, it sees the Set-cookie: header. The browser then adds a line to the special cookie file that it manages. This line contains the hostname of the server and the identification number in the Set-cookie: header. Note that the cookie file already has an entry for eBay, since Susan has visited that site in the past.

Keeping user state with cookies

As Susan continues to browse the Amazon site, each time she requests a Web page, her browser consults her cookie file, extracts her identification number for this site, and puts a cookie header line that contains the identification number in the HTT'P request. Particularly, each of her HTTP requests to the Amazon server contains the header line:

Cookie: 1678

In this way, the Amazon server is able to track Susan's activity at the Amazon site. Though the Amazon Web site does not necessarily know Susan's name, it knows precisely which pages user 1678 visited, in which order, and at what times. Amazon uses cookies to provide its shopping cart service - Amazon can maintain a list of all of Susan's intended purchases, so that she can pay for them collectively at the end of the session.

If Susan returns to Amazon's site, say, one week later, her browser will continue to put the header line Cookie: 1678 in the request messages. Amazon also suggests products to Susan based on Web pages she has visited at Amazon in the past. If Susan also registers herself with Amazon - providing full name, e-mail address, postal address, and credit card information - Amazon can then contain this information in its database, thereby associating Susan's name with her identification number (and all of the pages she has visited at the site in the past). This is how Amazon and other e-commerce sites provide "one-click shopping" - when Susan chooses to purchase an item during a subsequent visit, she doesnt need to re-enter her name, credit card number, or address.

From this discussion we observe that cookies can be used to recognize a user. The first time a user visits a site, the user can provide a user identification (possibly his or her name). During the subsequent sessions, the browser passes a cookie header to the server, thereby identifying the user to the server. Cookies can thus be used to make a user session layer on top of stateless HTTP. For instance, when a user logs in to a Web-based e-mail application (such as Hotmail), the browser sends cookie information to the server, allowing the server to recognize the user throughout the users session with the application.

Though cookies frequently facilitate the Internet shopping experience for the user, they are contentious because they can also be considered as an invasion of privacy. As we just saw, using a combination of cookies and user-supplied account information, a Web site can learn a lot about a user and potentially sell this information to a third party. Cookie Central [Cookie Central 2008] contains extensive information on the cookie controversy.


cookies, end system, back-end database,

Copy Right

The contents available on this website are copyrighted by TechPlus unless otherwise indicated. All rights are reserved by TechPlus, and content may not be reproduced, published, or transferred in any form or by any means, except with the prior written permission of TechPlus.