Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  ActiveX

Previous Topic/Section  Buffer Overflows
Previous Page
Pages in Current Topic/Section
Next Page  Signed Applets
Next Topic/Section  Cookies
(Page 1 of 3)

A cookie is a piece of information sent from a web server to a web browser, and then (usually) stored by the web browser on the client machine for use at a later time.

[spacer]How Cookies Work

Cookies are a technique developed to personalize content (for instance, by storing information about a user, that can be incorporated into pages from that site in the future) and to make up for a limitation of the web. As originally designed, a web server sat around and handled requests for web pages, without trying to remember who asked for what page last, what data they submitted in that web form asking for their address, etc. Each page request was treated as a separate task, completely unrelated to any tasks (other page requests or web page form data submissions) that came before it. This type of behavior is referred to as “stateless” because the server does not keep track of the “state” of any of the clients who might have requested web pages from it.

Because many web applications need to keep track of where a user has been (and who the user is), the idea of a “magic cookie” was born. The way it works is that the web server passes the browser a “cookie” which may contain data gathered by the web server (such as the user’s email address) or maybe simply a “magic number” understood internally by the web server that identifies which connection (series of transaction) this page request is associated with, and, whenever the browser contacts the web server, it sends back the cookie, thus, identifying itself to the web server. The cookie is often (but not always) stored as a text file on disk.

Cookies themselves contain a variety of information, such as the host to which the cookie should be sent, as well as, whatever unique identifying information (or other data) that the web server wants you to furnish whenever you try to contact it. Those who worry about such things might be concerned that a cookie can contain anything on your hard disk should be consoled by the fact that cookies can only contain information that you once provided to the web server that created the cookie. If you didn’t give the web server your social security number, the site can’t store it in a cookie.


A cookie is a piece of information sent from a web server to a web browser, which is usually stored on the user’s PC for future use.

Depending on what information a user has provided to a web server, sensitive data may be in any cookie the web server asks to be stored on that user’s PC. Cookies can only contain information that was provided by the user to the web server.

While sites could store into a cookie information like the user ID, password, credit card numbers, etc. that you provide them, they generally don’t (knowing that it’s not a good practice), and instead opt to not store that information at all, or store it on their own secure servers, using a “magic number” cookie to look it up later, as described above.

Previous Topic/Section  Buffer Overflows
Previous Page
Pages in Current Topic/Section
Next Page  Signed Applets
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.