Please help me understand cookies (the interwebs kind).
February 26, 2010 8:16 PM   Subscribe

Please help me understand cookies (the interwebs kind)

I recently looked at my browser's cookies list, and found a friend's personal website on the list. I assume this doesn't mean she can follow me as I browse around the internet, but...what does it mean?
posted by lalex to Computers & Internet (13 answers total) 2 users marked this as a favorite
 
Imagine you go to a party full of very forgetful people. Every time you meet someone and say hello, they write down who you are on one of their business cards. Just before you leave them to go mill with other guests they hand you this card.

This happens repeatedly throughout the night. The next time you start chatting with someone they say "Hey, have we met before? My name's Bob." so you shuffle through your handful of cards until you one with Bob's name on it, and hand it to him.

Bob reads the card to get back up to speed with who you are and what your last conversation was about, then you can continue conversing from that point forward.
posted by odinsdream at 8:26 PM on February 26, 2010 [15 favorites]


In your cookie list, you will see that a cookie is associated with a domain, and a path.

The browser simply sends this cookie in the headers of any request that matches that domain and site. It won't sent cookies to other sites.

When people talk about using cookies to "track" people - it's because they issue you a cookie, and then have some object on other people's sites served from their site (tracking pixel, etc) - and track your movement based on that.

So - no, just becuase your friends' site uses a cookie does not mean he can track your movements, not at all - unless he has advertising and other agreements with a ton of sites.
posted by TravellingDen at 8:28 PM on February 26, 2010


The most important thing to know about cookies is that they're limited to a single domain name. Any time you log into a website, they remember who you are by giving your browser a cookie. But it's tagged with the site's address, so the browser knows to only send it to that particular site.

The reason some people may be concerned about privacy is because of the way certain advertising networks work. Banner ads are generally loaded from a different domain than the page they're embedded in, which means they use that domain's cookies, no matter which site you're looking at. So the ad network -- but not the main site -- can connect that with all the other times you've looked at their ads.
posted by teraflop at 8:51 PM on February 26, 2010


And, to mix odinsdream's analogy with TravellingDen's to illustrate teraflop's explanation…

Imagine that every time you met somebody new, a third person - let's say, the weird guy standing in the corner that nobody wants to talk to - slips his card into your hand as well, and makes a note of where, when and who you were talking to. And each time you exchange cards with someone, he can look at all of his cards that you're holding.

At the end of the evening, when you've forgotten what you did that night, the weird guy that you spent all night avoiding could walk up to you and tell you exactly who you met, when, in what order, and gauge pretty well how long you spent talking to them.

That's 3rd-party cookies.
posted by Pinback at 8:54 PM on February 26, 2010 [2 favorites]


Your friend will know when your computer visits her site, and what parts of her site your computer looks at, and that is all she will know.
posted by croutonsupafreak at 9:00 PM on February 26, 2010


The problem with the "name-on-a-card" analogies is that cookies are pseudonymous (unless you've done something like provide login information to a website). That is to say, cookies contain unique identifiers, but those are just alphanumeric strings, not your name or any personally identifiable information. If you log in to a site which offers some kind of user account, then the cookie can store your username.
posted by Conrad Cornelius o'Donald o'Dell at 9:25 PM on February 26, 2010 [1 favorite]


Your friend will know when your computer visits her site, and what parts of her site your computer looks at, and that is all she will know.

Only if the friend's site offers logins. If not, then the friend's log files will only show that User X, using a certain type of browser, a certain OS, etc., and coming from a particular IP address, accessed the site. The sort of information gathered about a user (again, in the absence of logins) is generally considered non-personally identifiable information.
posted by Conrad Cornelius o'Donald o'Dell at 9:27 PM on February 26, 2010


Also, imagine that at the party, you are drunk the whole time, and therefore aren't really sure who you're meeting or what you're telling them about yourself, and that you're going to end up with so many cards in your pocket that the last thing you'll want to do in the morning is look through them. And even if you did, the information there is not arranged in a way that you will understand most of it anyway.

However, you are still better off lugging them around to every party you go to anyway, because they can help you avoid having to re-introduce yourself and hear stories in which you've indicated you have no interest. Sometimes.
posted by bingo at 9:30 PM on February 26, 2010


Ugh, lets dispense with the analogy here.

What a cookie is is a piece of information that is sent from a website to your browser. The browser sends back the cookie every time it comes back. One of the key points is sends back. the website doesn't ask for the cookie, it just gets them. But it only gets cookies that it specifically set.

So websites only seek cookies that they themselves see. And obviously a website can only create cookies with information that they already have. So, if a website doesn't know anything about you, cookies won't get them any more information, except for how often you see the page.

(one tricky bit, though, is that sites like Google have bits of code on lots and lots of websites, based on Google analytics and their browser ads. So they actually can use cookies to track you across the web)

Now, does your friend know that you are the person who owns the particular computer that visited the site? Probably not. If she did know then she would be able (in theory) to tell when you'd come back. but she's have to have custom software setup to look out for that, which is unlikely.
posted by delmoi at 9:43 PM on February 26, 2010


Since everyone seems to love the analogies so much, let me try my hand, because I think some of the prior attempts are missing some key elements.

Imagine you are at a masquerade party where half of the guests are wearing identical masks ("users"). The other half are not, and they are each distinct from one another ("websites"). The former group are equivalent to web users, the latter, to websites. If a website-person meets a user-person, s/he has no way to know who that user is, thanks to the mask (and users are also not permitted to tell the websites their names). But the websites want to be able to keep track of who they talk to, and to be able to recognize returning users in subsequent conversations, so they've evolved a method for doing so. It's a bit clunky, but it works. Here goes:

First, websites hand every user they talk to a card with a unique random number on one side AND the website's name on the back. (This is equivalent to a cookie.) Then, websites tape-record each conversation they have with each user. (This is equivalent to a server tracking where you've visited, or what items you've put in your shopping cart, or whether you've set your ZIP code on a site so that it will always display local weather, etc.) Finally, the websites associate each tape recording with the appropriate unique random number on a notepad.

Then - this is the clever bit. You, a user, stop talking to one of these website people. When you come back, they'll have no way to recognize you, right? After all, you're wearing an indistinguishable mask, and you weren't allowed to give your name. But ah! Each website knows if you are carrying a card on you that bears that website's name. They have no idea if you have cards with the names of OTHER websites on them; they just don't care.

Anyhow, not only do they know if you have one of their cards, but they can read it automatically. In fact, if you have one of their cards, you are forced to show it to them when you return. You can throw away a card (or accidentally lose it) after you get it, but if you try to revisit the same website, they'll be clueless as to who you are. You can jump up and down and shout and yell and say, "DON'T YOU REMEMBER ME? WE JUST TALKED A MINUTE AGO!" But you'll just get blank stares. (This would be like going back to your weather site but finding that it no longer displayed your local weather automatically. Something happened to your card - i.e., your cookie.)

But if you do have a card, the website-person instantly recognizes it. They glance at their notepad to find your unique number, and they use that to pull out a copy of the corresponding tape (remember, they taped your last conversation). They then listen to the tape, and a look of recognition comes over their face. They remember you! They remember what you talked about. Now you can pick up where you left off. (On the web, this would be like putting a few items into a shopping cart, closing your browser, and coming back a day later to still find the items there, and then being able to check out.) The website-person never learns your name - the only know you by this unique number. All they learn about you is what you tell them in your conversation(s).

I think this covers the basics. As I've mentioned, things change a bit if the websites allow logins. (In this analogy, you WOULD be allowed to give your name to the website-people.) The other, more privacy-related issue, involved third party servers, and that has been addressed by others.
posted by Conrad Cornelius o'Donald o'Dell at 10:02 PM on February 26, 2010 [2 favorites]


Since everyone seems to love the analogies so much, let me try my hand, because I think some of the prior attempts are missing some key elements.

Imagine you are at a masquerade party where half of the guests...
Jesus Christ. The goal should be to give an informative answer, not come up with the most creative, matching to the point of nonsense analogy.
posted by delmoi at 11:16 AM on February 27, 2010


I'm sorry you seem so upset by my attempt at an answer here, Delmoi. I often find analogies are helpful in explaining technical topics - and I personally like it when people use analogies to help me understand technical subjects. Cookies are a tricky sort of thing to analogize to human affairs, and I don't love the party analogy. But I wanted to clarify what I thought were some problems with the earlier examples, not engage in some sort of creative one-upsmanship. I feel that my explanation comes pretty close to describing how cookies work. No nonsense!
posted by Conrad Cornelius o'Donald o'Dell at 11:58 AM on February 27, 2010


If you're actually curious about the technical stuff, try this. It might be a little over some people's heads, but I have faith in my common man to understand this sort of thing.

Use Chrome or download Firebug for Firefox. I'm going to go with Firebug since I like the interface more, but Chrome has the same tool.

Open up firebug, there should be a little bug at the lower right. Go to the Net tab. Make sure it's activated by clicking the arrow on the Net tab.

Now go to your friend's blog. The firebug window should fill up with all the HTTP traffic that loads your page. Expand the first one and scroll down until you see the Request Headers section. The text here is pretty much exactly the same text your browser sent, formatted to look a little prettier.

There's a section of the request headers called Cookie, and it means exactly what it looks like - your browser is sending that text to the server every time you load the page. "Cookies" are that text. There's probably a long string of random characters that the server generated and gave to you when it set the cookie - everyone who visits her site gets a different string. This lets the server remember who you are, for purposes of tracking page views and things like that.

Now go to google.com - keep that Net tab open. It'll fill up with all the traffic for loading up Google's home page. Do the same thing we did for your friend's blog, and look at the Cookie section. It's completely different! Cookies are limited to specific sites - if you're not visiting the site the cookie was set from, your browser won't send them.

TL;DR version - cookies are text your browser sends every time you visit a site. The site has control over what exactly this text is, but not who you send it to.
posted by wonnage at 1:31 PM on February 27, 2010


« Older Cleveland Wedding Location Suggestions?   |   Lots of long term projects...how can I keep... Newer »
This thread is closed to new comments.