I've never actually heard anyone explain what a cookie is in terms that a business person will understand and feel the need to pay attention to. Most people only hear is that cookies pose some kind of risk - and they do, but the risk isn't what most people think it is and this is actually a very dangerous piece of misinformation for businesses.
What is a cookie?
A cookie is nothing more than a variable that can hold some value. For example, if I am surfing a website that contains regional content - at some point I will be asked what city I live in. If I type in the answer, then a cookie called "city" may be stored on my local computer. Now there is a variable called city holding the text "Victoria". This data is stored on my local computer and the only website that may read it - is the website that stored it.
Does the entire world now know where I live?
No. Cookies can only be read by the same website that created the cookie. So if you go to www.yada.com and a cookie gets stored - that cookie can only be read by yada.com. Similarly, yada.com can not store cookies for www.blabla.com to pick up - because your web browser will not allow it.
So, the website that creates the cookie is the website that reads the cookie - and websites can not set up cookies for each other. For your information to get spread around - the site that collected the information (the website you typed answers into) has to misuse it. You will never hit a site by accident and have all your cookies read.
Can your cookies be stolen?
Trojan: A program that appears desirable but actually contains something harmful, the contents of a Trojan can be a virus or some activity tracking software.
The Real Cookie Threat
Thus far in the discussion we have talked about the threat that cookies pose to web surfers. At best, this is a common misconception. So, what is the real threat and why are browsers capable of blocking cookies?
- pretend to be someone else,
- create errors on your server (by replacing variable data with serverside executable code),
- hmm... I'd have to think about it.
To solve this problem many companies encrypt their cookies so that tampering with a cookie will just break the cookie. Your system will then ignore the cookie, or deny that person access.
If cookies are safe for websurfers, why are web browsers capable of blocking cookies?
This is a systems issue and the choice to block cookies should be made by the system administrator or IT team. Here's the problem. If Jack and Jill work in the same office and Jill is out to lunch, Jack could walk over to her machine and copy her cookies to a disk. He could then copy the cookies again onto his own machine. Now, even if the cookies are encrypted, Jack has Jill's cookies. So, if Jill is using the "remember password" feature on a site - Jack has that encrypted access cookie. Now Jack can access company intranet systems as if he was Jill. Maybe Jill has greater access than Jack? Big risk for business.
These are the two major security issues with cookies and they apply to businesses.
Now that the tech team and the business team share a common understanding of the cookie threat - you should discuss these points and more;
- Do your websites depend on cookes to track user information? If so, what protection mesures are in place to ensure that no third party can create a fake cookie?
- Do your staff computers permit cookies - and are those cookies well protected?