Sloane International Development: Hey guys I just want to know What Is a Persistent Cookie? as I have no idea about this
Please let me know
Persistent cookies – these files stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file.
Session cookies - these are temporary cookie files, which are erased when you close your browser.
(to see the difference between the two types of Cookies).
Source: http://www.allaboutcookies.org/cookies/cookies-the-same.html
And maybe you want to know what Cookies are/do:
Cookies are usually small text files, given ID tags that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.The website stores a corresponding file(with same ID tag)to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address.
Source: http://www.allaboutcookies.org/cookies/
You should google it next time
Related
Is it possible to use data from Google Analytics when someone visits my web page?
I would like to get information about the visitor, eg:
location
how many times he visited the page
from where he comes
time spent on website
etc
And depending on those informations display proper content. Or even add them (silently) to the contact form.
Is it possible to use the data collected by Google Analytics or should I create my own mechanism based on cookies? Maybe any other solution?
This isn't possible. Universal Analytics uses a cookie with an ID for the user and handles the rest on the server, so there's no data available to you. However, all of the info that Google is tracking is accessible to you.
location you can get via the users IP
visits you can get by setting a cookie on each user and tracking sessions
referrer should be in the request headers
time spent can be tracked the same way that ga does, but keeping track of the time everytime the user creates another hit
I found that the cookie in browser is a random string which web server sends to each client for remembering users' information purpose. But I don't understand in programmers viewpoint, what does cookie use for?
For example, I've used EditThisCookie extension in Chrome Browser to read wikipedia.org site's cookie, in the following picture included here. The value of this cookie (sessionId) is useless for programmers (EDIT: I mean I don't extract any information from this cookie, I know the cookie is very important for web developers, so sorry about my poor expression). If I get this cookie, which kind of information I can understand about the users?
Looking for some help! Thank you very much!
The example about cookie
http://i102.photobucket.com/albums/m86/dienkun1/cookie_example_zps455f0dad.png
EDIT: Sorry, I've just expressed my problem in wrong way.
Actually, I am going to write an extension for collecting users' preferences via users' cookie, but I can't understand anything what information can be extracted from cookie. I've read about cookie in many documents, like wikipedia, and all of them just show how to get cookie, the definition of cookie, classified... and nothing about which information we can get from cookie.
Thank you very much!
Why do you say that the sessionId is useless for programmers? It actually can be extremely useful. Somewhere on Wikipedia's servers, they're probably storing quite a bit of information about your session. This could include things like whether you've already hidden one of their fundraising banners (so that it won't keep showing it to you again and again), to things that are required for basic functionality, such as what user you are currently logged in as.
However, Wikipedia is storing this same information for millions of sessions. It needs a way to tie the information back to each individual browser. That sessionId is how it does so. It set the sessionId in a cookie when you first accessed the page, and that cookie gets sent back to the server with every request you make to it now. Then they have code on the back end that reads that sessionId from the cookie and uses it to look up all of the information specific to your session, and do whatever needs to be done with it.
You could of course store the session information itself in the cookies, but there are a couple problems with that. First, there are limits on the size of each cookie, and on the overall size of all cookies for a single domain. Some of the data you want to store might not even fit. But the bigger problem is that cookies can be very easily manipulated by the end user. If you stored the information of who the user is logged in as in a cookie, the user could just change that value to something else, and suddenly be logged in as someone else! Of course, it's also possible that the user could change their sessionId to be some other user's session and suddenly be logged in as them. That's why session IDs need to be as random as possible, and should be long enough that guessing someone else's is basically impossible.
Well, why would someone bother writing a sessionId to a cookie if it's useless?
Cookies are extremely useful when it comes to (e.g) identifying users on your site so you can have them logged in right away, count their visits, track them on your site and even beyond.. only to name a few use cases.
To cite a somewhat popular site (wikipedia.org):
Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited by the user as far back as months or years ago).
The most important word here is "stateful".
I was looking up alternative to cookies and I've read about HTML5 web storage here, and I've read a simpler explanation here but I still don't get how it works fully. Can someone offer a slightly non-techinical explanation so that I can then understand the technical bits. It says about browsers having to store key value pairs but where and how is it stored and why is it inaccessible to other sites? Why isn't it considered just an other form of cookies?
I'm looking for a thorough and complete alternative to cookies; as in if my organisation wants to replace all it's websites from using cookies to say an alternative for say web-storage then can we easily say 'Yes' to that requirement? Let's assume only the latest browsers are used.
How and in what ways does web-storage enhance security when
compared to cookies? Does it have potential to compromise security
in other ways? Is there someone with any real life experiences who
can share the pros and cons?
The differences between localStorage and cookies
Both cookies and localStorage are protected from access by unrelated domains by the Same Origin Policy.
The difference is that localStorage is only accessible through JavaScript, whilst cookies are accessible through JavaScript1 and sent with each HTTP request.
There isn't much of a security benefit of using localStorage as opposed to cookies. The difference between the two is because the goal is different: localStorage can be used for things you'll only use in JavaScript, whilst cookies can be used for storing things you need on the server (as well).
Both can be accessed by anyone that has access to the browser of a user's computer and both localStorage and cookies can be accessed by JavaScript that is executed on the web page. (For the latter, see the exception below.)
You can see this if you enter localStorage or document.cookie in the browser console.
You can set the HTTPOnly flag on a cookie so it isn't accessible through JavaScript.
How to use localStorage
Since there is already a lot of information available on using localStorage, I will just refer to two web sites documenting it:
DOM Storage at the Mozilla Developer Network
Local Storage at Dive Into HTML5
How the data is stored
How the data is stored differs per browser. Below, I give information on how Mozilla Firefox stores cookies and local storage.
Note: instructions on how to find your Firefox profile are available in this article at Mozilla Support.
Cookies
Firefox stores your cookies in your profile folder in a file named cookies.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, moz_cookies.
Table structure
The table is structured as follows:
Table contents
Here is a part of the contents of my cookies.sqlite database:
LocalStorage
Firefox stores your localStorage data in your profile folder in a file named webappsstore.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, webappsstore2.
Table structure
The table is structured as follows:
Structure of the column contents:
scope:
<the domain name in reverse>:<the protocol>:<the port number>
KEY:
The name name of the stored value.
value
The stored value
secure
This column isn't used.
owner
This column isn't used.
Table contents
Here is a part of the contents of my webappsstore.sqlite database:
This is the same as the data that I get when I type localStorage in the console at the web page https://login.persona.org.
Conclusion
As you can see, data from both cookies and local storage is stored by the browser in the same way. If you are concerned about the safety of data that is being stored at the user's computer, localStorage offers no security benefit over cookies.
In fact, it may even be a greater risk, because you can set cookies to expire after a certain time, whilst localStorage won't expire. Thus, data saved in localStorage may remain at the user's computer for longer than if you would have if you had used cookies.
(If, however, you only need to store data for the duration of a single session, you can use sessionStorage instead of localStorage.)
It sounds like you're looking at formulating a company-wide policy with respect to use of cookies in web application development.
As such, for a company-wide policy, be careful to consider not only your typical type webapp where server produces HTML+JavaScript, but also any potential web APIs that company web applications may be publishing. Such web APIs may be for AJAX purposes, but also may be for consumption by other type clients, for example B2B type data feeds, that may rely on some form of persistence on the consumer end. For example a "browser" like Twilio only understands TwiML, as opposed to HTML+JS, and local storage is not applicable there. And if webapp that interfaces with Twilio relies on persistent storage, local storage is not an option (whereas cookies are).
This is not to say that such applications, if such exist or will exist in your organization, cannot be (re-)designed to avoid need for client-side persistence. This is to say that local storage may not necessarily always be available in all contexts to provide alternative to cookies.
Otherwise, user2428118's answer nicely contrasts the two technologies.
I've just discovered Evercookie project on Github.
Evercookie is a Javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.
This is accomplished by storing the cookie data as many browser storage mechanisms as possible. If cookie data is removed from any of the storage mechanisms, evercookie aggressively re-creates it in each mechanism as long as one is still intact.
If the LSO mechanism is available, Evercookie may even propagate cookies between different browsers on the same client machine!
I tested it online, on this example page. I clicked "Create evercookie" button, I deleted all browsing data and I refreshed the page. The cookies that were deleted by deleting browsing data returned again there.
Where is the browser security in this thing? Is this secured?
If you want to disable Flash based cookies, use Adobe's "Global Storage Settings" panel here:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
Perform all of these Steps:
Uncheck "Allow 3rd Party Flash Content to store data on your computer"
Check "Never ask again" (a non-obvious, but important step)
Click the 2nd to last tab: "Website Storage Settings"
Delete all existing data
Chrome bundles its own Flash plugin on Windows and Mac OS X. The settings and disk storage are separate from the plugin packaged directly by Adobe, so you may need to perform the above steps twice if you use Chrome. On the plus side, the separate storage location prevents Flash from being used to synchronize cookies to or from Chrome and other browsers.
I recommend testing with my personal site:
http://noc.to
The "Zombie Cookie" section can show you exactly how cookies are being restored and help you determine if the above steps (or any tools you use) are working.
In order to create an Evercookie, all you need is:
The ability to run JavaScript (or other active content, like Flash and perhaps Java); and
The ability to access the various client-side locations where copies of the cookie data are stored.
Totally disabling access to all storage mechanisms would render most of them useless; for most of them, their whole reason for being is to allow a script to use them. So the only even remotely feasible option is restricting access by domain. I'm not sure what browsers (if any) allow that kind of granularity, though. Most can allow or block JS as a whole from certain domains, but as for what features a given domain's scripts can use...? I'm not seeing that ability in Chrome 26 or IE 10, at least.
Well, it doesn't seem to work that well.
Created the everCookie
Closed the window
Empty all elements of Firefox cache (just by going to delete recent history anc check everything except site preferences)
Closed the window
Came back to the page
Finally realized it wasn't stored
What is strange is that I dind't explicitely removed Flash cookies in Flash Website Storage Settings panel. Maybe it's integrated into Firefox. Or I may have disabled them.
I think there's several other ways to store cookies and trace you. Facebook is already tracking you all over the web, even when disconnected. Google too (do you use Chrome?). Moreover, with IPv4 addresses, we certainly can find you back (why not just after you've emptied your cache!). We also can find you back while logging back on any site, and make a link with your previous sessions.
I suggest:
Using Firefox, even it's slower than Chrome, it's still more respectful of privacy
Removing the whole Internet cache on window close (sorry you'll have to log again on your preferred sites)
Check third-party cookie options
Use browser addons with care
Check Flash & Silverlight cookie options
Avoid website reputation checking (provided that you can recognize a fishing attempt)
Use private browsing mode when you don't want to share your digital lives
We have several websites on different domains and I'd like to be able to track users' movements on these sites.
Obviously cookies are not feasable, because they don't cross domain borders.
I could look at a combination of IP address and User Agent, but there are some cases where that does not work.
I don't want to use flash or other plugins.
Any ideas? Or am I doomed to rely on the IP/User_Agent combination?
You can designate one domain or subdomain to tracking and have it serve a 1x1 pixel image which you include in all pages you would like to track. Serve a cookie with the image, look at the tracking domain's server logs, voilà.
This solution requires no JavaScript, and works even if the user disables third-party cookies.
First, let's make sure the user agent is sending cookies:
If getCookie("c") == null then setCookie("c", "anyValue")
Then let the request finish (aka wait for next request)
Let's call our tracker cookie uaid.
If GET http://child.com/any-page and getCookie("c") is not null and getCookie("uaid") is null...
Redirect to http://parent.com/give-me-a-uaid?returnTo=http://child.com/any-page
On http://parent.com/give-me-a-uaid, check for cookie uaid
If not exists, create it and add it to response. If it exists, get its value.
Redirect to http://child.com/any-page?uaid=valueOfParentsUAIDCookie
Child.com sets cookie uaid with valueOfParentsUAIDCookie
Redirect to http://child.com/any-page
And of course, you are validating input, and white-listing your redirect URLs :)
Flows:
This question is closely related to the Question Accessing Domain Cookies within an iFrame on Internet Explorer.
For Internet Explorer I need to take P3P Policies into account and set an additional P3P HTTP-Header to allow images to set cookies across domain borders. Then I can use simon's suggestion.
You can follow the same concept used in Google Analytics. Injecting javascript in the pages you want to track.
You do not give any context to your situation -just the basic problem. So it is difficult to give an answer that clearly fits. However, here are some techniques/mechanisms for passing information from one page to another, regardless of what domain is involved.
include hyperlink to a 1x1 pixel transparent gif image (sometimes called a "beacon")
rely on referrer information in HTTP request headers to identify page hyperlink is on
include extra parameters in hyperlinks to other site - assuming you run both sites
buy services of a company like Akamai to do user tracking for you
possibly use cross domain cookie mechanism in the future if standard is ever approved
Which techniques really come down to whether you can place software on all of the sites (servers) that the user will visit where you have interest - or you cannot place your software on all of them.