In recent years there has been ample discussion regarding the use of cookies and the implications of privacy violations to users visiting websites which use cookies. This article seeks to inform our clients about some of the misconceptions regarding cookie use, what practical reasons cookies serve, and give details about our own cookie usage policies regarding client projects.

This article assumes an understanding of terms used: "Client" refers to a web browser application (such as Mozilla Firefox, Google Chrome, Opera, Safari, Microsoft Internet Explorer/Edge or another popular web browser). "Server" refers to a website and the physical computer hosting the website.

What are cookies?

When a client connects to a server to view a website, information is exchanged between the two to form the connection. If a secure connection is requested by the client, further information is exchanged to create the secured connection. Generally and in most cases, when the initial connection is made the server will save small fragments of information in a cache with the client. This allows the server to better recognize the client among all of the other connections to the server.

These small data fragments are commonly referred to as Cookies. For security purposes, web browsers allow websites to save cookies in the web browser's cookie cache (cookie jar), however web browsers will not allow a website to edit or read information on a cookie that another website saved in the browser's cookie jar.

Valid uses for cookies

Cookies have many valid uses, and when used correctly - and with respect to the user - they pose no risk to security or privacy. One such example of proper use of cookies (and one of the most common uses for cookies) is the session ID cookie.

When a client first connects to a server, in most cases the server will look to see if it recognizes the client from a previous connection. If it does not, the server will generate a random and unique number and assign it to the client. Part of this assignment process involves setting a cookie in the client's cookie jar containing this unique random number. This unique random number is called a Session ID, and it allows the server to differentiate the specific client against all clients that have ever connected to the server.

This process is similar to having everyone in a room take a number from a hat. The person holding the hat is the server, where the people taking numbers are the clients. When the clients communicate with the server, they announce themselves using their number. If some people leave the room and others join, the new participants draw a new random number from the hat. While there may be a few "Jim's" in the room, there is only one "4" and one "7," and at this point the person with the hat can communicate with both "Jim's" independently, securely and with confidence.

Like our example with the numbers in the hat, session ID's are randomly generated unique numbers. They contain no information beyond the number on the ID. The number its self is not relevant outside of the server, and it is not generated based on any information that the client provides. In this sense, even if the number is intercepted by a malicious individual, it poses no inherent security or privacy risk to the client.

In fact, by creating a unique ID for each client session with the server, the server is able to provide a platform for increased security and privacy for the client. While our example is relatively simple, implementation of increased security regarding session IDs is a much more complicated subject involving more moving pieces than necessary for our example.

Do cookies violate privacy?

This question has caused much debate over the past few years. The simple answer is that when used correctly and with respect cookies should not pose a security or privacy risk; however, when misused or completely abused cookies can pose a significant security or privacy risk.

As mentioned above, when a client connects to a server specific information must be exchanged to enable data transfers over a network of any kind (and the Internet is no exception). Some of the information that must be exchange is as follows: the client's IP address, the date and time of the connection, and the page on the website that the client is requesting to view. If a server were to set a cookie during the client's connections with a tracking ID, the server could then use the required connection information along with the tracking ID number to build a timeline showing details about the user's interaction with the server/website.

The tracking ID in this example could be a totally random number (like the session id), or it could be a number that was generated based on information present about the client. Either way, it serves as a unique identifier relative to a given client which allows the server to record information about what a client is doing while using the website.

Where this is taken a step further is in the context of large search providers, which rely on tracking cookies to provide metrics regarding website interaction from websites which use services provided by these large providers. Because the initial connections to these websites also connect to services provided by these large providers, it enables the servers of the large providers to check any tracking cookies that their servers have previously set, as well as log information about that external connection.

While the logged information is kept private with the with the service provider, the client is generally not aware that this information transaction is happening. While considered unethical in most circles, there are websites which would sell this logged information where legally applicable. Of course this extreme example does create a privacy risk for clients, especially when the client did not elect to partake in this transaction.

This process, however, is not a true reflection of how cookies generally work, merely an example of how they can be abused to collect information from clients.

Respecting user privacy

In short, cookies, when used correctly, supplement privacy and security for the server and the client; however, when used incorrectly, or in a way that does not focus on respecting the client, cookies can be used to create security or privacy risks for clients.

We take a different approach when developing custom applications for our clients. Our use of cookies is only provided where absolutely necessary in order to maintain functionality of the application as a whole. We believe in respecting the clients of our clients and take every effort available to ensure that your clients can use your application with full confidence.

Does my website use cookies?

In most cases the answer to this question is "yes"; however, it really depends on how your website/application is designed, what external services are used, and what services your website or application provides to your clients.

While cookies are an absolutely necessary part of the server client relationship, when used correctly they pose no risks to your clients. If you have specific questions about what cookies your website uses please give us a call so that we can walk you through the technical side of your services.