HTTP cookies

History, motivating use cases

In the early days of the web, a server had no way to know if two requests came from the same web browser. This was considered as a limitation since it did not allow for instance to keep a user logged-in. This apparent limitation led Netscape to ship a technology called "cookies" in the first version of its Netscape Navigator. It has been quickly adopted by web developers and copied by other web browsers.

With the introduction of document.cookie, Web developers quickly started to use cookies as client-side storage.

Basics of cookies

How cookies work is defined by the RFC 6265. When receiving an HTTP request, a server can send a Set-Cookie header with the response. Afterward, the cookie value is sent along with every request made to the same server in the form of a Cookie HTTP header. Additionally, an expiration delay can be specified. Restrictions to a specific domain and path can be specified as well.

Critics, alternatives

Incompatibility with the REST architectural style

In the dissertation where he defines REST, Roy Fielding says about cookies:

An example of where an inappropriate extension has been made to the protocol to support features that contradict the desired properties of the generic interface is the introduction of site-wide state information in the form of HTTP cookies. Cookie interaction fails to match REST's model of application state, often resulting in confusion for the typical browser application. (...) The problem is that a cookie is defined as being attached to any future requests for a given set of resource identifiers, usually encompassing an entire site, rather than being associated with the particular application state (the set of currently rendered representations) on the browser. When the browser's history functionality (the "Back" button) is subsequently used to back-up to a view prior to that reflected by the cookie, the browser's application state no longer matches the stored state represented within the cookie. Therefore, the next request sent to the same server will contain a cookie that misrepresents the current application context, leading to confusion on both sides. (...) As a result, cookie-based applications on the Web will never be reliable. The same functionality should have been accomplished via anonymous authentication and true client-side state. A state mechanism that involves preferences can be more efficiently implemented using judicious use of context-setting URI rather than cookies, where judicious means one URI per state rather than an unbounded number of URI due to the embedding of a user-id. Likewise, the use of cookies to identify a user-specific "shopping basket" within a server-side database could be more efficiently implemented by defining the semantics of shopping items within the hypermedia data formats, allowing the user agent to select and store those items within their own client-side shopping basket, complete with a URI to be used for check-out when the client is ready to purchase.

Cookies used as client-side storage

Cookies have been used as client-side storage. While this use could have been considered legitimate at a time when there was no other way to store data on the client side, it is no longer the case in 2012 where it is estimated that 90% of users worldwide have a web browser which is capable of using the local storage API. Since cookies are sent along with every request, it can be an additional performance burden (especially for mobile web).

Security

Since cookies are often used to identify a user in an application, stealing a cookie means stealing the identity of the user in the application.

Also, used in combination with the Referer (sic) HTTP header, cookies allow user tracking.

Web keys

When using cookies, a resource (the "R" in "URL") is defined (and generated on the server-side) by the URL and the cookie. In this case, the cookie is used as a secret shared between the client and the server (and hopefully no one else). In a paper, Tyler Close suggests to put the secret directly in the URL (hence called "web keys") and answers to common concerns that could come along with this decision.

See also

Document Tags and Contributors

Tags: 
 Contributors to this page: Aristide, groovecoder, teoli, Sheppy, dbruant
 Last updated by: Aristide,