Another cookie story. Fix yourself a glass of milk and enjoy the read.
===========================================
Care of Karen Kenworthy winmag.com and Windows Magazine winmag.com;
===========================================
Cookie Crumbs
There's no reason to keep the ingredients of your browser cookies secret; our utility tells you what's inside.
Don't you just love cookies? Those tasty nuggets are small, just the right size for a quick snack, and full of sweet surprises such as chocolate chips, raisins or nuts. No wonder they're so popular.
And no wonder the folks at Netscape chose the name cookie for a feature of their Navigator browser. Their cookies are small files, just the right size to be quickly transmitted across the Internet. And browser cookies are filled with bits of information, some of it quite surprising.
Browser cookies have another delicious quality: They let Web pages communicate with each other. That wasn't possible in the Internet's early days. Nor was it necessary. The World Wide Web was originally used to publish scientific papers and other documents. When somebody clicked on a hyperlink or typed a new URL, the exact location of the information was sent to the server, and Web servers responded by sending the requested page. Web servers knew nothing about the person requesting the information. As a result they had no way to customize their replies to suit the needs of individual users.
Affairs of state
The Web's original design made online sales, interactive customer support, games and many other attractive applications impossible. To do these things, Web pages must talk to each other. For example, a page that lets you select an item to purchase must be able to pass that information to another page that displays total charges. This sort of data is what programmers call state information. It allows Web pages to be constantly apprised of the state of your visit-what decisions you've already made and what information you've already entered-and to act accordingly.
Cookies provide a solution to the state information problem, by allowing Web sites to store small amounts of state information on your hard disk. Later, that same site, or a closely related site, can retrieve that information. Together with advances in server-side programming, cookies make many of the Web's most exciting uses possible.
Security
Unfortunately, cookies' ability to store this information led many to believe they posed a serious security risk. Some claimed cookies allowed Web sites to learn private information about their visitors. Others suggested cookies could damage your computer by transporting and concealing a computer virus.
Fortunately, these early fears have proven unfounded. Cookies are just text files; they can't contain a virus. Cookies do contain information you've voluntarily provided a Web site by entering data in forms, visiting pages and so on. But because Web sites can only read cookies they themselves created, a cookie can't reveal anything to any other Web site.
So, far from being a threat, cookies can actually enhance security and privacy by letting Web sites store information about you on your computer's hard disk. If cookies didn't exist, this same information would be stored in a large database on the Web site's computer, far away from your control or inspection.
WinMag Cookie Viewer
To allow you to see cookies for yourself, I wrote this month's Power Tool, the WinMag Cookie Viewer (shown in "Cookie Jar"). It helps you locate cookies stored on your computer, and displays the information found within them. Then, you can decide for yourself if they pose a risk to security or privacy.
First, the Cookie Viewer finds your cookies. That's harder than it seems because Microsoft's Internet Explorer and Netscape's Navigator disagree about where and how to store cookies. Internet Explorer stores each cookie in a separate text file. Navigator's cookie jar is a file named COOKIES.TXT, and each cookie occupies one line of the file.
The Windows Registry reveals where each browser keeps its cookie stash.
The Registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders\Cookies contains the name of the folder used by Internet Explorer 4.0 to store its cookie files. The folder used by older versions of Internet Explorer can be found in the Registry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\SpecialPaths\Cookies\Directory.
File finder
Locating the cookie file used by Navigator 4.0 requires two steps. First, you must retrieve the name of the current Navigator user from the Registry at HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator\Users\CurrentUser.
Then you can find the name of the cookie file's directory by reading the Registry entry HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator\Users\<username>\DirRoot (where <username> is replaced by the user name retrieved a moment ago). Older versions of Netscape store the full pathname of their cookie files in the Registry at HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Cookies\Cookie File.
Our Cookie Viewer checks all these Registry entries and displays each location where cookies are found. Radio buttons let you select the batch of cookies you'd like to view. The sidebar "Sniff Out Those Sweets" shows how the program uses a subroutine named ReadReg to retrieve one cookie location and store it in a variable named loc. The program then calls a subroutine named StripNulls in line 3 to remove any trailing null characters (bytes containing all zeros). Finally, in line 5, the location is stored in a radio button's Caption property. If the Registry entry doesn't exist, the corresponding radio button is made invisible in line 7.
The ReadReg and StripNulls routines hide the complexity of the Registry's read and write functions, allowing us to retrieve Registry information with a single Visual Basic statement.
The Cookie Viewer also has a Browse button. This lets us view hidden or orphaned cookies. But use caution when browsing for cookies. Cookie files don't have a unique filename extension; instead, they share the TXT extension with all other text files. Although the Cookie Viewer is resilient, it might choke if fed anything other than real cookies.
Cookie recipe
Once you've selected a cookie location, our program displays a list of the cookies found there. If Internet Explorer created the cookies, the names of the individual cookie files are displayed in the program's Cookie list box. When asked to show the contents of a Navigator COOKIES.TXT file, the program displays a list of cookie names instead.
Click on the name of an individual cookie file or cookie, and the Cookie Viewer shows that cookie's four key ingredients. The Available To text box reveals which Web pages can read the cookie's data. Like a standard URL, this cookie entry consists of a Web site's domain name, followed by a pathname. This will be the URL of either the page that created the cookie, or a close relative of that page. A Web page can retrieve a cookie if the page's URL matches this entry. To be considered a match, the domain name of the page's URL must end with the domain name portion of the Available To entry, and the pathname portion of the page's URL must begin with the pathname portion of the cookie entry. For example, if a cookie is available to xyz.com/catalog, then pages at the Web site xyz.com that reside in the directory /catalog (or its subdirectories) can read the cookie's data.
Now, the good stuff
Next, the Cookie Viewer displays the cookie's all-important filling: data names and data values. You can think of a cookie's data name as a sort of variable name, used to identify data for later retrieval. The cookie's data value is the information stored within that variable.
As you'd expect, cookie data names and values always come in pairs. Each cookie must contain at least one pair, but can contain more. Cookies with multiple name/data pairs are like double-stuffed sandwich cookies, with twice the normal filling (or even more). When the Cookie Viewer encounters such a jumbo cookie, it displays a small horizontal scroll control near the bottom of its main window. This allows you to scroll through the cookie's name/value pairs, viewing each one in turn.
At the bottom of the Cookie Viewer's main window you'll see the last bit of cookie information it displays: the cookie's Secure setting. This setting is either True (Yes) or False (No). If True, the cookie's data can only be transmitted over a secure Internet connection. This setting usually indicates the cookie contains sensitive data such as a credit card number. If the Secure setting is False, cookie data can be transmitted over any type of Internet connection.
What kind of data will you find inside your cookies? For the most part, it's pretty vanilla stuff. Most cookies contain nothing more than series of numbers. These numbers tell the Web site which pages you've visited, or retain your site preference settings between visits.
Other cookies might contain the time of your last visit. Credit card and vendor account information, if present, is usually encrypted in a way only the Web site understands. The data's name (such as "Session-Time") might give you a clue to the data's meaning. But some data names (such as "MC1") aren't nearly as much help.
Some cookie data you won't find at all. That's because Web browsers can create temporary cookies in your computer's RAM. These cookies only exist as long as you remain connected to the Web site that created them; they disappear once you exit your browser or visit another site.
Taste test
If you'd like to give the WinMag Cookie Viewer a try, you can download it from my WINDOWS Magazine home page at winmag.com. As always, it's free.
I've included Visual Basic 5.0 source code for those of you who'd like to peek under the hood or customize the program to suit your needs. If you don't have a copy of the Visual Basic 5.0 Development System, you can modify the program using the free Visual Basic Control Creation Edition (VBCCE) available from Microsoft's Web site.
Cookie Jar
Microsoft's Internet Explorer 4.0 stores cookies in individual files. Click on one in Cookie Viewer, and you'll see that cookie's four main ingredients.
Sniff Out Those Sweets
The Cookie Viewer locates Internet Explorer 4.0's cookie directory by reading the Windows Registry.
1 Dim loc as String
2 loc = ReadReg(HKEY_CURRENT_USER, _"Software Microsoft\Windows\CurrentVersion Explorer\Shell Folders", _"Cookies", "")
3 loc = StripNulls(loc)
4 If loc > "" Then
5 optBrowser(0).Caption = loc
6 Else
7 optBrowser(0).Visible = False
8 End If
Numbers in red are for reference only
© 1998 Windows Magazine
September 1998, Page 205. |
