CLLB Information Security Newsletter – Cookies

Volume 2 Number 8 August 2009.

From the Desk of David G. Badertscher

Mmmm… cookies – chocolate chip and oatmeal with raisins! Cookies are one of the most popular snacks that exist today. Did you know you can get “browser” cookies almost every time you go on the Internet? These cookies help with Internet commerce, allow quicker access to web sites, or can personalize your browsing experience. However, there are some privacy and security issues to be aware of, so it is important to understand the purpose of a “browser” cookie and manage their use on your computer appropriately. This tip will help you understand what a “browser” cookie is, what it is used for and what risks might be associated with using cookies.

What’s a Browser Cookie and How is it Used?

Browser cookies are simply reference files stored on your computer, just like pictures and documents. When you visit a web site, the visited web site will often place a cookie on your computer. Cookies do not contain active content (executables) or links, just text-based information. The information in the cookie might indicate how often you visit the site, what kind of products you bought, what kind of things you searched for, etc.

There are two different types of browser cookies that are stored on your computer – session and permanent cookies. Session cookies are stored in the computer’s memory only during your browsing session and are automatically deleted from your computer when the browser is closed. These cookies usually store a session ID that is not personally identifiable, allowing you to move from page-to-page without having to log-in repeatedly. Session cookies are never written to the hard drive and they do not collect any information from your computer. They are widely used by commercial web sites; for example, to keep track of items that a consumer has added to a shopping cart. For instance, when you add an item to your shopping cart while shopping online, the information on that item is placed into a cookie. When you are finished with your online shopping, the application then references the appropriate cookie, tallies up your purchases, and bills you for those items.

Permanent cookies are stored on your computer’s hard drive and are not deleted when the browser is closed. These cookies can retain user preferences for a particular web site, allowing those preferences to be used in future browsing sessions. Permanent cookies can be used to identify individual users, so they may be used by web sites to analyze users’ surfing behavior within the web site. These cookies can also be used to provide information about number of visitors, the average time spent on a particular page, log-in information stored in an account, and generally the performance of the web site.

In addition to session and permanent cookies, many sites allow their advertisers to place “third-party” cookies on your computer. Third-party cookies allow the marketing or an advertising company to track your interests and browsing through multiple web sites and companies. Third-party cookies, ones used by companies you are not dealing directly with, are more of a privacy issue than a security issue. The more you allow companies to track your online behavior, the more they can market directly to your specific interests. How cookies are processed and/or stored on your computer is controlled by your browser’s privacy settings.

Risks and What Should I Do?

Although permanent cookies may be useful and convenient, there are risks associated with stored log-in credentials. Storing credentials in a cookie can increase the risk of your log-in information being discovered if someone else uses your computer or in the event your computer may be compromised. If your computer or the website you are visiting is compromised, cookies can be used for malicious purposes, such as hackers altering data in the cookie or intercepting traffic between your computer and the web site.

Is recommended that you:

Set your cookie preferences using your browser privacy settings.

Periodically delete cookies from your computer.

Session cookies should be automatically deleted when you have completed a financial transaction online. By clearing your cookies from your browser periodically you can decrease the risk of the misuse of information accidentally or intentionally stored in cookies.

Do not allow cookies to store login information.

Keep your system and browser up-to-date on patches, update your anti-spyware software, and only visit trusted web sites.

If you do not want to share your online behavior data with third-parties, set your privacy settings to not allow third-party cookies. Note, this may impact your browsing experience.

Be cautious when sharing your computer. If you stored credential information using a browser cookie (user names and password), the individual using your computer will have access to your account and will be able to process transactions in your name.

For More Information on Cookies Visit:

Web Browser Attacks:

Browsing Safely: Understanding Active Content and Cookies:

Evaluating Your Web Browser’s Security Settings:

Http Cookie:

Free Security Checks:

How to Control Cookies:

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to

They say timeing is everything; sometimes I wonder. Late in July I begain receiving a number of e-mails about the federal government reconsidering the question of whether cookies and other technological tracking devices should be used on federal web sites. When this matter had been raised before, the Office of Management and Budget (OMB) in the White House and presumably others decided that use of cookies on federal web sites should be greatly restricted in not prohibited. That decision was based on privacy and other concerned deemed especially important at the time. See a discussion of the issues from the perspetive of OMB at:

Now, with newer, more advanced and more accessible techology, and other concerns, the question is being reopened and revied. I have submitted comments to the Office of Management and Budget, but certainly wish that I had received the above information from MS-IAC before doing so. The public comment period ended August 10 (unless it has been extended) and I did not receive the very helpful information and resources included above until two days ago August 19. I guess timing is everything after all.

At the time I received the earlier information, I did some research and posted information and links for those who might want either more background information, submit comments to the OMB blog or comment directly to the Federal Register, or all the above on this Criminal Law Library blog . To see my posting, which incorporates material I submitted to the OMB, visit:


Message Labs, now part of Symantec, has produced a white paper on what they consider the Top 5 Security Tips for 2009. The tips discussed are: Endure more than one line of defense; Educate your users about the risks; Control web access; Stay ahead of threats; and Know your legal obligations. To see the white paper go to:


Contact Information