McGraw-Hill - $34.95


Update (5/12/2000): Microsoft Internet Explorer browsers for Windows (5.01 and earlier) have a bug that allows hostile code to access cookie information from multiple sites. The initial report is at Peacefire, and Slashdot also has discussion.

Privacy advocates and web architects have battled over cookies for the last few years. Initially introduced in Netscape 1.1 as a way for developers to store tiny amounts of information on client computers, cookies have been praised as a powerful convenience and damned as Orwellian big brothers keeping excessively close track of user behavior. Cookies have spread from CGI programming to JavaScripting, and are an important part of the toolbox for most client- and server-side Web development environments.

The most important thing that cookies do is allow developers to maintain state across a series of transactions. When HTTP was first developed, it assumed transactions without connections to each other. Every document fetch was a separate action, with no record kept of the referring document. Server administrators could examine their logs to see who had visited, but firewalls, dynamic IP addresses, and the scanty information kept in those logs made it difficult to identify invidual users and the paths they had taken through a site. By placing a small "nametag" or other information on the client computer, it's easy to tell if a visitor has been to a site previously, and connect the identity of that visitor to other information kept on the server. Cookies allow site administrators to follow users as they travel through a site, and allow them to store a small amount of information on the client (like the classic shopping basket).

Cookies have always been covered in the web development literature, but usually with a quick nod, a light example, and a gentle warning about the privacy implications of such strange sleuths. Their structure is extremely simple, a mere container for simple variable data, but the implications are enormous. Sites that want to create shopping environments and sites interested in collecting data on the browsing habits of their readers are two of the most common environments for cookie use, but subscription systems, security systems, and even hypertext art forms can also make use of cookies.

Cookies have also fed a lot of paranoia. While it's extremely difficult to use a cookie to spread a virus or otherwise damage a user's computer, many still see them as a dangerous invasion of privacy. Despite early horror stories, cookies aren't left 'available' to any web page that comes along. The New York Times cookies can't be read by the Wall Street Journal's web site or vice versa, and no site is allowed more than 20 cookies period. Cookies remain limited in size and scope, and can't give away information that hasn't been entered by the user into a web page. Still, the use of cookies to follow visitors through sites and to identify individual users gives privacy advocates shivers. Browsers have long included a 'refuse cookies' option, but the privacy advocates would like to see cookies more tightly restricted and more loudly announced.

While cookies were initially.developed by Netscape, Microsoft has endorsed them enthusiastically and made them a core part of many of its tools, as well as its web sites. While both vendors use the same cookies, the ways in which they apply them are frequently quite different. Similar tools can use significantly different methods to obtain the same result, while remaining compatible with browsers from both parties. The simple structure of cookies has shielded them from incompatibilities to some extent, but developers will need to know how different servers and different technologies apply them.

In addition, cookies are facing their greatest changes since their early appearances in Netscape 1.1 and 2.0. The Internet Engineering Task Force (IETF) is nearing approval of the controversial RFC 2109, which includes both a specification for the contents of cookies (endorsing and extending the existing Netscape standard) and a rules covering the ways servers and browsers should handle cookies. At the same time, Netscape, Firefly, and VeriSign (with the support of Microsoft, Sun, IBM, HP, and a horde of other computer, financial, and media companies) have proposed the Open Profiling Standard to address many of the privacy and identification issues raised by cookies. Rather than require web sites to ask for information repetitively, OPS starts by having users enter personal information, then releases it (with consent) when requested. While not strictly a cookie, OPS has similar implications and performs many of the same tasks in a more secure way.

Developers use cookies constantly, and many developers may not even know that the tools they use are producing cookies. Cookie management is a serious task, with serious implications for web site architecture. Although HTTP has developed significantly over the last few years, it remains a stateless protocol with few signs of a transition toward a more thoroughly connected means of communication. Cookies fill in the gaps between HTTP transactions and turn short quotes into conversations.

Cookies includes coverage of:

Order Cookies from!

Order Cookies from!


Cookies is available in Japanese and Portuguese. The Japanese edition is published by ASCII Corporation, and has the ISBN 4-7561-2012-1. The Portuguese edition is published by Editora Berkeley, and has the ISBN 85-7251-503-8.


Code through Chapter 4 is available, with more appearing each chance I get to update it.