1 cookies prof. sheizaf rafaeli electronic commerce

1Prof. Sheizaf Rafaeli – E-Business

CookiesCookies

Prof. Sheizaf RafaeliProf. Sheizaf RafaeliElectronic commerceElectronic commerce


C is for CookieC is for Cookie

Now what starts with the letter C? Cookie starts with C Let's think of other things That starts with C Oh, who cares about the other things?

C is for cookie, that's good enough for me C is for cookie, that's good enough for me C is for cookie, that's good enough for me Oh, cookie, cookie, cookie starts with C


Advantages of maintaining stateAdvantages of maintaining state

Shopping cart applicationsShopping cart applications Customizing and personalizing contentCustomizing and personalizing content Tracking navigation patternsTracking navigation patterns Creating “subscriber” statusCreating “subscriber” status Remembering pesky passwordsRemembering pesky passwords Rewarding frequent or return visitsRewarding frequent or return visits Changing banners and bookmarksChanging banners and bookmarks Games: remembering scores, high scores, skill levelsGames: remembering scores, high scores, skill levels


““Maintaining state”Maintaining state”

Stored in Stored in cookiescookies Encoded in Encoded in URL linksURL links Sent in Sent in hidden form variableshidden form variables Stored in variables in other Stored in variables in other (hidden) frames(hidden) frames Stored Stored on the web serveron the web server ( (least desirable)least desirable)


CookiesCookies

““Magic cookies” “Persistent client state HTTP Magic cookies” “Persistent client state HTTP cookies”cookies”

A cookie is a small amount of information that a Web site sends to your browser. When your browser receives a cookie, it saves the cookie on your hard drive for future use

When you re-visit a site, your browser checks for any pre-defined preferences (cookies) for that particular site.


CookiesCookies

Enable storing information on the client’s Enable storing information on the client’s browser for later retrievalbrowser for later retrieval

Most powerful technique for maintaining Most powerful technique for maintaining state within a web sitestate within a web site


Web sites use cookies in many Web sites use cookies in many different waysdifferent ways..

Sites can Sites can accurately determine how many people actually visit the site.accurately determine how many people actually visit the site. It It turns out that because of turns out that because of proxy serversproxy servers, , cachingcaching, , concentratorsconcentrators and so on, the and so on, the only way for a site to accurately count visitors is to set a cookie with a unique only way for a site to accurately count visitors is to set a cookie with a unique ID for each visitor. Using cookies, sites can determine: ID for each visitor. Using cookies, sites can determine:

– How many visitors arrive How many visitors arrive – How many are new vs. repeat visitors How many are new vs. repeat visitors – How often a visitor has visited How often a visitor has visited

The first time a visitor arrives, the site creates a new ID in the database and The first time a visitor arrives, the site creates a new ID in the database and sends the ID as a cookie. The next time the user comes back, the site can sends the ID as a cookie. The next time the user comes back, the site can increment a counter associated with that ID in the database.increment a counter associated with that ID in the database.

Sites can Sites can store user preferencesstore user preferences (often referred to as (often referred to as customizationcustomization).).

E-commerce sitesE-commerce sites can implement things like can implement things like shopping cartsshopping carts and and "quick "quick checkout" optionscheckout" options. It would be impossible to implement a convenient . It would be impossible to implement a convenient shopping mechanism without cookies or something like them. shopping mechanism without cookies or something like them.

TRY THIS: http://computer.howstuffworks.com/history.php


Are Are YOUYOU a voyeur? a voyeur?

VisitVisit– http://www.metaspy.com (http://www.metaspy.com (choose red)choose red)– http://voyeur.mckinley.com/cgi-bin/voyeur.cgihttp://voyeur.mckinley.com/cgi-bin/voyeur.cgi– http://aj.comhttp://aj.com

Was it interesting?Was it interesting?


Problems, Constraints and Problems, Constraints and Disadvantages (Disadvantages (realreal))

Cookie may not be persistentCookie may not be persistent May be deleted by accident or on purposeMay be deleted by accident or on purpose may be disallowed or frozenmay be disallowed or frozen Browser may impose limitations, distorting Browser may impose limitations, distorting

the informationthe information Unencrypted, may “give away” secretsUnencrypted, may “give away” secrets Made to sound scary (see myths)Made to sound scary (see myths)


Where are cookies stored?Where are cookies stored?

By Netscape, as “cookies.txt” on Windows By Netscape, as “cookies.txt” on Windows machines or as “MagicCookies” (on Macs)machines or as “MagicCookies” (on Macs)

By Explorer in special directory named By Explorer in special directory named Windows/CookiesWindows/Cookies

By other browsers - wherever they wishBy other browsers - wherever they wish


Cookie MythsCookie Myths ““The biggest problem seems psychological”The biggest problem seems psychological” Big brother violating privacy?Big brother violating privacy? Cookies seldom used for this purposeCookies seldom used for this purpose Cookies Cookies cannot be used to get data from your hard

drive, your email address or sensitive information about your person

HOWEVER: look at http://www.doubleclick.com– ““delivering targeted REAL TIME marketing”


WebBugsWebBugs(doubleclick’s secret)(doubleclick’s secret)

A hidden active link <img src=“http://bug.com/1pix.gif” width=1height=1> </img>

http://mysite.com

http://yoursite.com


Cookie Myths (2)Cookie Myths (2)

Early implementations of Java and JavaScript did allow awful things but for the most part these security leaks have been plugged.

Software limits total size of cookie file:Software limits total size of cookie file:– less than 1.2 MBless than 1.2 MB– no more than 80 KB per each web siteno more than 80 KB per each web site– each site can only access its owneach site can only access its own


Cookie Myths (3)Cookie Myths (3)

A site can only access a cookie that has been set from its own domain, It cannot access any other cookies from your computer.


Still… How do I stop’em? (1)Still… How do I stop’em? (1) Use the anonymizer service, atUse the anonymizer service, at

– http://www.anonymizer.com/http://www.anonymizer.com/

Use Cookie Central’s cookie web kit, at Use Cookie Central’s cookie web kit, at http://www.cookiecentral.comhttp://www.cookiecentral.com


Still… How do I stop’em? (2)Still… How do I stop’em? (2)

Use Cookie Crusher, at:Use Cookie Crusher, at:– http://www.thelimitsoft.com/cookie.htmlhttp://www.thelimitsoft.com/cookie.html

Disable cookies. Disable cookies. – On Explorer use View-Internet options-AdvancedOn Explorer use View-Internet options-Advanced

– On Netscape: Network - Preferences - Protocol menuOn Netscape: Network - Preferences - Protocol menu

– delete cookies.txt (or magicCookies on Mac), replace delete cookies.txt (or magicCookies on Mac), replace with system, hidden, read-only, write protected, zero with system, hidden, read-only, write protected, zero

length filelength file Use Junkbuster, at http://www.junkbuster.comUse Junkbuster, at http://www.junkbuster.com


Netscape’s original cookie specsNetscape’s original cookie specs

Netscape is the inventor of cookies. Netscape is the inventor of cookies. The original specs are available at:The original specs are available at:

– http://www.netscape.com/newsref/std/cookie_spec.htmlhttp://www.netscape.com/newsref/std/cookie_spec.html


Using CookiesUsing Cookies

Cookies are stored in name=value pairsCookies are stored in name=value pairs The main functions necessary are:The main functions necessary are:

– GetcookieGetcookie– SetCookieSetCookie– ClearCookieClearCookie

Cookies save “expire”, “path”, “domain” Cookies save “expire”, “path”, “domain” and “secure” parameters.and “secure” parameters.


See exampleSee example

See example in cookie.favorites.html, at:See example in cookie.favorites.html, at:– http://www.umich.edu/~cisdept/Grad/CIS742/http://www.umich.edu/~cisdept/Grad/CIS742/

cookies.favorites.htmlcookies.favorites.html This program makes use of three different This program makes use of three different

cookies:cookies:– ViewAll toggles between different displaysViewAll toggles between different displays– ShowOptions allow setting the page up and ShowOptions allow setting the page up and

viewing in different modeviewing in different mode


GetCookie functionGetCookie function//---------------------------------------------------------------// GetCookie - Returns the value of the specified cookie or null// if the cookie doesn't exist//---------------------------------------------------------------function GetCookie(name) { var result = null; var myCookie = " " + document.cookie + ";"; var searchName = " " + name + "="; var startOfCookie = myCookie.indexOf(searchName) var endOfCookie; if (startOfCookie != -1) { startOfCookie += searchName.length; // skip past cookie name endOfCookie = myCookie.indexOf(";", startOfCookie); result = unescape(myCookie.substring(startOfCookie, endOfCookie)); } return result;}//---------------------------------------------------------------


Set Cookie functionSet Cookie function//---------------------------------------------------------------// SetCookie - Adds or replaces a cookie. Use null for parameters// that you don't care about//---------------------------------------------------------------function SetCookie(name, value, expires, path, domain, secure) { var expString = ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) var pathString = ((path == null) ? "" : ("; path=" + path)) var domainString = ((domain == null) ? "" : ("; domain=" + domain)) var secureString = ((secure == true) ? "; secure" : "") document.cookie = name + "=" + escape(value) + expString + pathString + domainString + secureString;}


Clear Cookie functionClear Cookie function

//---------------------------------------------------------------// ClearCookie - Removes a cookie by setting an expiration date// three days in the past//---------------------------------------------------------------function ClearCookie(name) { var ThreeDays = 3 * 24 * 60 * 60 * 1000; var expDate = new Date(); expDate.setTime (expDate.getTime() - ThreeDays); document.cookie = name + "=ImOutOfHere; expires=" + expDate.toGMTString();}


Future of cookiesFuture of cookies

The Internet Engineering Task Force The Internet Engineering Task Force (IETF) committee (HTTP Working Group):(IETF) committee (HTTP Working Group):– Trust Mechanisms and “Proposed HTTP State Trust Mechanisms and “Proposed HTTP State

Management Mechanism”. Management Mechanism”. » http://www.ietf.cnri.reston.va.us/html.charters/http-http://www.ietf.cnri.reston.va.us/html.charters/http-

charter.htmlcharter.html

Draft specs resemble Netscape’s but more Draft specs resemble Netscape’s but more conservativeconservative


The “DoubleClick Controversy”The “DoubleClick Controversy”

ProfilingProfiling


DoubleClickDoubleClickPersonal data sent to DoubleClick servers includes:

My Email address

My full name

My mailing address (street, city, state, and Zip code)

My phone number

Transactional data sent to DoubleClick includes:

Names of VHS movies I am interested in buying

Details of a plane trip

Search phrases used at search engines

Health conditions See Richard Smith’s

http://users.rcn.com/rms2000/privacy/


Double ClickDouble Click

AltaVista Yellow Pages -- Complete home address (Fixed January 2000)Banner ad URL: http://live.av.com/scripts/search.dll?ep=7&gca=address&orderby=distance&sstreet=172+mason+terr&scity=brookline&sstate=MA&szip=02446&scountry=USA&query=sinsa&qname=&sic=&ck=&userid=130782922&userpw=.&uh=130782922,0,&ccity=brookline&cstate=MA&ver=hb1.2.2Referring URL: http://ad.doubleclick.net/ad/my.av.com/findanything;sz=468x60;ord=8089440000

RealNetworks -- Registration information (Fixed December 1999)Banner ad URL: http://ad.doubleclick.net/ad/real.networks/banner;sect=download;sz=468x60;ord=4296?Referring URL: http://proforma.real.com/real/player/player.html?RApromo=&language=English&s=1&dc=161514&src=000103realhome%2Cnav%2C991228choice&first_name=Richard&last_name=Smith&[email protected]&country=US&product=&platform=Windows+98&speed=Pentium&connection=256+kbps+xDSL%2FCable¬ices=Yes


Double Click Double Click AltaVista -- Search string

Banner ad URL: http://ad.doubleclick.net/adi/altavista.digital.com/result_front;kw=sports+cars;cat=stext;ord=203730346Referring URL: http://www.altavista.com/cgi-bin/query?pg=q&sc=on&hl=on&q=sports+cars&kl=XX&stype=stext&search.x=39&search.y=11

Travelocity -- Plane trip informationBanner ad URL: http://ad.doubleclick.net/ad/travelocity.TRAVELOCITY.com/aircairline;orig=BOS;dest=LASReferring URL: http://dps1.travelocity.com:80/lognguest.ctl?SEQ=950480201958005

Buy.com -- Movie titleBanner ad URL: http://ad.doubleclick.net/ad/buy.videos.sm/videos-search;kw=enemy+of+the+state;cat=videos-search;sz=120x90;title=1;num=123456?Referring URL: http://www.buy.com/videos/searchresults.asp?searchtype=1&format=1&qu=enemy+of+the+state

drkoop.com -- Health condition informationBanner ad URL: http://ad.doubleclick.net/ad/dr.koop.dart/diabetes;sz=120x60;ord=870204?Referring URL: http://www.drkoop.com/conditions/diabetes/

Amazon/Internet Moive Database (IMDb) -- Movie SKUBanner ad URL: http://ad.doubleclick.net/ad/www.imdb.com/Title;p=Title;sz=468x60;kw=76759;g=Sci;g=Act;g=Adv;ord=145171Referring URL: http://us.imdb.com/Title?0076759


Double ClickDouble Click

HealthCentral -- Email addressBanner ad URL: http://ad.doubleclick.net/adi/www.healthcentral.com/newsletters/main;cat=healthcat=health;;ord=13065Referring URL: http://www.healthcentral.com/newsletters/[email protected]&NewsLetterType=Specific&Subscription=Dr.+Dean+Digest&x=37&y=12

Amazon/Internet Moive Database (IMDb) -- BirthdayBanner ad URL: http://ad.doubleclick.net/ad/www.imdb.com/OnThisDay;p=OnThisDay;sz=468x60;ord=142577Referring URL: http://us.imdb.com/OnThisDay?day=28&month=November

Travelocity -- Email addressBanner ad URL: http://m.doubleclick.net/viewad/59705-295964options_old.gifReferring URL: http://dps1.travelocity.com/[email protected]


Doubleclick, 24/7, Doubleclick, 24/7, Link Exchange, EngageLink Exchange, Engage

Hundreds of publishers and dozens of networksHundreds of publishers and dozens of networks DART-- direct ad serving technology, Closed DART-- direct ad serving technology, Closed

loop, Local, international, “boomerang”loop, Local, international, “boomerang” “can break profiles down into as many as 800

different interest categories. “

Merging with other databases?Merging with other databases? Stalking suit? Stalking suit?


More cookie informationMore cookie information

Andy’s Cookie pages, at:Andy’s Cookie pages, at:– http://www.illuminatus.com/cookie.fcgihttp://www.illuminatus.com/cookie.fcgi

Cookie CentralCookie Central– http://www.cookiecentral.comhttp://www.cookiecentral.com

Alternative browsers’ support for cookies, Alternative browsers’ support for cookies, at:at:– http://www.research.digital.com/nsl/formtest/http://www.research.digital.com/nsl/formtest/

stats-by-test/NetscapeCookie.htmlstats-by-test/NetscapeCookie.html


And even more...And even more... http://www.cnet.com/Content/Voices/Barr/042996/index.htmlhttp://www.cnet.com/Content/Voices/Barr/042996/index.html

TheTruth about cookies (from C|Net).TheTruth about cookies (from C|Net). http://www.jasmin.com/cook0696.htmlhttp://www.jasmin.com/cook0696.html

Jasmin:Making it Personal with CookiesJasmin:Making it Personal with Cookies http://www.emf.net/~mal/cookiesinfo.htmlhttp://www.emf.net/~mal/cookiesinfo.html

Malcolm's Guide to Persistent Cookies resourcesMalcolm's Guide to Persistent Cookies resources http://www.cam.org/~githerr/privacy.htmhttp://www.cam.org/~githerr/privacy.htm

Privacy and protection on the InternetPrivacy and protection on the Internet http://www.anonymizer.com/http://www.anonymizer.com/

Anonymous SurfingAnonymous Surfing


More resourcesMore resources

See Junkbusters:See Junkbusters:http://www.junkbusters.com/ht/en/ijbfaq.htmlhttp://www.junkbusters.com/ht/en/ijbfaq.html

Privacy FoundationPrivacy Foundationhttp://www.privacyfoundation.org/index.cfmhttp://www.privacyfoundation.org/index.cfm

1 cookies prof. sheizaf rafaeli electronic commerce

Documents

n sites

future use n n

visits n

n ecommerce sites

n visit http

c slide

hidden frames n

subscriber status n