Cookies

What are cookies?

Most private home pages on the World Wide Web are just simple, static pages. Some services, however, offer more complex, interactive transaction sequences where the contents of each page retrieved is dependent on choices you have made earlier. A shopping site would be such an example, where you pick thinks you would like to buy, and in the end you get a list of everything you have chosen. Or, some sites offer personalized news, and they depend on certain personal preferences.

Before, these things weren't possible, or only with great effort. The reason for this is, that each request for a page is independent of all previous pages. The server has no way of telling that this request was done by you, and thus it doesn't know the details needed to construct the personalized response.

To overcome these limitations, NetScape has developed a persistent client state mechanism they called cookies. The W3 Consortium has adopted this mechanism and enhanced it. You can find a full description in RFC 2109. AWeb complies with this definition to ensure maximum privacy and security.

With the cookie mechanism, a server essentially has a way to say to the browser program: "keep this information on your hard disk, and include it in every future request for a page on this server."

Your privacy

Using cookies, many interesting services can be realized that otherwise wouldn't have been possible.

Unfortunately, cookies can also be abused to track your steps on the World Wide Web. Many pages contain a banner advert image or a counter. Many of those images are located on the same server. They set a cookie in your browser, and every time you visit another page with a banner or counter image that comes from their server, your personal cookie is sent back to the server. Although this cookie doesn't contain any real personal information that you haven't supplied yourself (how could it), this practice does allow companies to obtain a perfect picture of your websurfing habits. Fortunately, AWeb offers facilities to protect yourself against this kind of privacy violation.

Protection levels

AWeb offers three levels of protection against cookie misuse. You can change this level in the network settings window.

Level Description
Never AWeb will never remember a cookie, and will never send back a cookie to the server. This gives you maximum privacy, but it makes the use of personalized sites impossible.
Ask before set Every time the server asks AWeb to remember a cookie, the cookie alert requester is shown. You can decide if you want AWeb to remember the cookie or not.
Always (quiet) AWeb will always accept requests to set a cookie, and will always send them back to the server whenever appropriate.

Level	Description
Never	AWeb will never remember a cookie, and will never send back a cookie to the server. This gives you maximum privacy, but it makes the use of personalized sites impossible.
Ask before set	Every time the server asks AWeb to remember a cookie, the cookie alert requester is shown. You can decide if you want AWeb to remember the cookie or not.
Always (quiet)	AWeb will always accept requests to set a cookie, and will always send them back to the server whenever appropriate.

Cookie alert

If you have set Cookie usage to "Ask before set", AWeb will open a requester every time the server wants to set a cookie. This requester contains the following information, depending on what the server included in its request:

Name	The name of the cookie to set.
Value	The value to remember for this cookie.
Domain	If the domain does not start with a period, this cookie will be sent back only in requests for files from this exact domain (server). If the domain starts with a period, the cookie will be sent back in requests for files from all domains with a name equal to this name with one part prepended. For example: cookies for domain "`.foo.bar`" will be sent back in requests for files from "`zoo.foo.bar`", "`blah.foo.bar`", but not "`cat.mouse.foo.bar`" because this name has two parts prepended.
Path	The cookie will only be sent back in requests for files on the server from this path, or from subdirectories in this path.
Comment	A description of the purpose of the cookie. Not all servers supply a comment with their cookies yet.
Max-age	The maximum number of seconds that the cookie details should be remembered. After this time the cookie will be forgotten.
Expires	The date and time until the cookie details should be remembered. After this moment the cookie will be forgotten. Cookies without Max-age or Expires are only valid during the current session, and are never saved to disk.

At the bottom of the requester is mentioned if this cookie will be sent back to the server in all cases, or only over secure connections.

In this requester, you have the following options:

Once Accept this cookie this time only. It will be sent back in requests that match the domain and path. The next time the server wants to change the value of this cookie, AWeb will show the cookie requester again.
Accept Accept this cookie, and all future updates of this cookie. "This cookie" is the cookie identified by its name, domain and path.
Never Do not remember this cookie, and add the domain to the No-cookie list. Future attempts by this server to set a cookie will be denied automatically.
Note that this option saves your network settings.
Cancel Do not remember this cookie this time.

Once	Accept this cookie this time only. It will be sent back in requests that match the domain and path. The next time the server wants to change the value of this cookie, AWeb will show the cookie requester again.
Accept	Accept this cookie, and all future updates of this cookie. "This cookie" is the cookie identified by its name, domain and path.
Never	Do not remember this cookie, and add the domain to the No-cookie list. Future attempts by this server to set a cookie will be denied automatically. Note that this option saves your network settings.
Cancel	Do not remember this cookie this time.

RFC 2109 protection

As mentioned above, the W3 consortium has developed an enhanced mechanism for cookies, with better protection of your privacy. This mechanism basically sends back the domain and path for which the cookie was originally set. This way, the server has a possibility to check if the cookie really was set by that server, not by some spoofing site. This enhanced mechanism was carefully designed so that is would be compatible with the existing limited mechanism introduced by NetScape.

Unfortunately, some servers are using cookies in such a way that the enhanced mechanism actually produces incompatible results. If you encounter problems like a site complaining that your browser doesn't support cookies (but you have turned cookie usage on), try disabling the RFC 2109 mechanism.

Cookie file

Cookies are saved in a file named AWCK, located in your cache directory. This is a readable file, and you are allowed to edit it in order to remove cookies or change their details.

Note that the appearance of the keyword "*ACCEPT;" means that you have accepted future updates of this cookie. If you remove this keyword, the cookie alert requester will be shown again when the server tries to update this cookie.

Back to index.