Talk:HTTP cookie

File extension of cookies

What file extension do cookies normally have? 87.112.48.16 (talk) 11:40, 16 January 2014 (UTC)

They don't have a standard file extension as they are not typically stored individually as files on disk. Rather, each browser has its own proprietary store format for cookies. Alistair1978 (talk) 14:23, 16 January 2014 (UTC)

Default value for path?

The article says: " If not specified, they default to the domain and path of the object that was requested." Other sources say the default value for the path is "/". The sentence is also inconsistent with the example in the paragraph above. Can someone confirm or disconfirm? —Preceding unsigned comment added by Weinzierl (talk • contribs) 02:01, 25 January 2009 (UTC)

I've clarified this with a source: the RFC is very explicit on this, and the current text was correct. However, this is the default when not sending a path attribute at all - which I have never seen in a cookie in the real world. — ErikRomijn (talk) 10:12, 4 March 2014 (UTC)

Session cookies surviving reboot

The statement "Web browsers normally delete session cookies when the user closes the browser" -Which is echoed across numerous software manual pages- may no longer be accurate.

Since 2006, some browsers have acquired a mode in which any pages open at browser shutdown are automatically reopenend at the next launch of the browser. In some implementations the session cookie from the previous instance of the page may also be cached and restored. This appears to happen even if a no-cache HTTP header has been sent. With some recent browser versions adopting this automatic page-restore mode as the default, the webmaster can no longer make any assumptions about the lifetime of session cookies.

References: 1 2 3 4

The security implications are quite far-reaching, since any oversight by the user in logging off from a website -or any systems failure which prevents manual logoff- can leave the session open to misuse by an interloper after browser shutdown, or even after a computer reboot. The user does not have to OK the saving of any password for this situation to arise. --Anteaus (talk) 21:51, 3 August 2014 (UTC)

Software for Managing Cookies

If there are programs for managing cookies, a section discussing them would be a valuable addition to this article. For example, has anyone created a program which would divide a browser's cookie list into 2 parts: 1) Protected Cookies & 2) Unprotected Cookies? Protected cookies would be cookies that the user designates to be protected, like a short list of sites for which the user wants the cookies to remain. Then the rest could be set to delete every time the browser is closed or by clicking on a menu item in the main browser menu, like "DELETE ALL UNPROTECTED COOKIES." I find it a great waste of time to have to sort through a ton of cookies & delete the undesired cookies, while keeping the few I want. Moreover, in Safari (for example) one gets a menu window with only about 6 cookies showing at a time & the confounded window spontaneously jumps around, so while you are highlighting cookies to delete, suddenly it jumps away from where you were in the list. If anyone has made a program to control such annoyances, the program should be added to this article. (EnochBethany (talk) 15:20, 24 March 2015 (UTC)) It will be work — Preceding unsigned comment added by 203.17.65.32 (talk) 09:14, 17 June 2018 (UTC)

First cookie implementation

The first implementation of HTTP cookies in a browser is attributed to 0.9beta of Mosaic Netscape. Yet none of the provides sources confirm that. An internet search also yields no actual reliable sources. Mostly it's probably reciting of this Wikipedia Article. Can anyone confirm or find a source where it's stated that that specific version had the first HTTP cookie implementation? 81.11.200.192 (talk) 11:24, 21 May 2015 (UTC)

Semi-protected edit request on 28 July 2016

Under the section: SameSite cookie

Change this sentence: A cookie is given this characteristic by adding the SameSite flag to the cookie.

To: A cookie is given this characteristic by adding the SameSite=Lax or SameSite=Strict flag to the cookie.

See: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

SameSite needs a value of "None", "Strict", or "Lax".

2604:6000:1011:C00A:B8AA:1DF4:4835:E151 (talk) 02:22, 28 July 2016 (UTC)

Done — Andy W. (talk · ctb) 22:23, 28 July 2016 (UTC)

Merging with Secure cookies

Please add {{Merge from|Secure cookies}} to hatnotes of the article. 80.221.159.67 (talk) 21:11, 22 October 2016 (UTC)

As for reasons for merging the article itself, there is overlapping areas of information in the articles. Secure cookie page already redirects to a section of this article (HTTP cookie#Secure cookie). I don't see much of things new value to warrant a new article for secure cookies. 80.221.159.67 (talk) 21:13, 22 October 2016 (UTC)

Done — JJMC89 (T·C) 04:52, 2 November 2016 (UTC)

The Secure cookies article is an awful mix of misinformation and hearsay. Even the title would want to be changed to the singular. If there hadn't been a merge tag already, I'd have just redirected it here. There is very little worth saving that isn't already in this article. Lithopsian (talk) 16:48, 1 December 2016 (UTC)

Other kinds of cookies?

Please, fix this sentence:

> Other kinds of cookies perform essential functions in the modern web.

to:

> There are various applications for HTTP-Cookies.

The term "other kinds" is confusing, because the kind of the cookies we are talking about is the HTTP-Cookie. Wenn you talk about third-party-cookies of tracking-cookie this are different use cases of the same kind of cookie, still HTTP-Cookie. If you are talking of different kinds of cookies you mean probably: HTTP-cookies vs Flash-cookies.

External links modified

Hello fellow Wikipedians,

I have just modified one external link on HTTP cookie. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20141015220910/https://panopticlick.eff.org/browser-uniqueness.pdf to https://panopticlick.eff.org/browser-uniqueness.pdf

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Y An editor has reviewed this edit and fixed any errors that were found.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 06:52, 20 May 2017 (UTC)

Semi-protected edit request on 8 September 2017

in the section concerning the origin of the word, "cookie" is declared to derive from the term "magic cookie", which itself is supposed to derive from Chinese fortune cookies. However, the article referenced in the footnote to substantiate this states exactly the oppisite—that in fact there was no allusion whatsoever to Chinese fortune cookies. So please someone erase the last clause of the sentence thank you. 139.18.242.206 (talk) 11:35, 8 September 2017 (UTC)

Done Eggishorn (talk) (contrib) 16:44, 8 September 2017 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified one external link on HTTP cookie. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20110224183417/http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx to http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Y An editor has reviewed this edit and fixed any errors that were found.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 15:14, 27 October 2017 (UTC)

HTTP/1.1 vs HTTP/1.0

Can HTTP/1.1 requests produce HTTP/1.0 responses?

https://en.wikipedia.org/w/index.php?title=HTTP_cookie&oldid=813682729#Setting_a_cookie

SoniEx2 (talk) 19:08, 7 December 2017 (UTC)

Cookie Cupboards

By a cupboard of cookies, I mean the apparent "container" of that set of cookies which a browser can currently see.

The article does not clarify whether cookie cupboards on a computer are shared between different users or are individual to each user (it seems obvious that they should be individual, but maybe a superuser can do more?).

The article does not clarify whether cookie cupboards on a computer are shared between different browsers or are individual to each browser (it is not clear to me what is, and what should be, the case).

94.30.84.71 (talk) 20:57, 25 February 2018 (UTC)

Old Parameters Not Mentioned

Since Wikipedia is an encyclopedia, I would imagine that it should mention the fact that there were two (maybe more?) parameter that were obsoleted by RFC 6265. Namely, the two I was looking for are "Comment=..." and "CommentURL=...".

The description are found in RFC 2965 in section 3.2.2 and, more specifically, on page 6: https://tools.ietf.org/html/rfc2965#page-6

What do you think? Alexis Wilke (talk) 01:31, 30 January 2019 (UTC)

wrong info: This restriction eliminates the threat of cookie theft via cross-site scripting (XSS)

This restriction eliminates the threat of cookie theft via cross-site scripting (XSS)

-> Httponly cookies do not eliminate the threat but makes XSS harder.

Sources - https://www.youtube.com/watch?v=jrKOdWPZtAg - https://stackoverflow.com/questions/8064318/how-to-read-a-secure-cookie-using-javascript

Semi-protected edit request on 7 August 2019 - Grammatical Edit

please change: "These cookies are however reset if the expiration time is reached or the user manually deletes the cookie." to : "These cookies are reset if the expiration time is reached or the user manually deletes the cookie."

Deleting the word "however" in this sentence will improve grammatical structure and clarity.

Cjh3323 (talk) 17:56, 7 August 2019 (UTC)Cjh3323 Cjh3323 (talk) 17:56, 7 August 2019 (UTC)

Y Partly done. Sentence removed entirely since it was redundant. –Deacon Vorbis (carbon • videos) 20:49, 7 August 2019 (UTC)

Semi-protected edit request on 12 August 2019

Origin of the name The term "cookie" was coined by web browser programmer Lou Montulli. It was derived from the term "magic cookie", which is a packet of data a program receives and sends back unchanged, used by Unix programmers.[6][7] this is not the only known reason so add the other theory important theory as well: -> Another theory is that the name originates from the story of Hansel and Gretel, who were able to mark their trail through a dark forest by dropping cookie crumbs behind them. (https://www.lifewire.com/web-browser-cookies-3483129, https://www.giac.org/paper/gsec/226/cookie-crumbs-introduction-cookies/100727, https://www.purevpn.com/blog/all-about-internet-cookies-scty/) Reza7rm (talk) 10:29, 12 August 2019 (UTC)

It doesn't seem like these sources believe it themselves, seems like they're reporting that some people believe it. Our current source cites email correspondance with Lou Montulli. Possibly a case of folk etymology? (And didn't they drop breadcrumbs?) – Thjarkur (talk) 13:33, 17 August 2019 (UTC)

 Not done: it's not clear what changes you want to be made. Please mention the specific changes in a "change X to Y" format and provide a reliable source if appropriate. — MRD2014 (talk) 23:12, 1 September 2019 (UTC)

Update URL for web reference

Cookie theft and session hijacking > Cookiejacking

title=Security researcher finds 'cookiejacking' risk in IE

• old (HTTP 404)
  • url=http://news.cnet.com/8301-1009_3-20066419-83.html
• updated
  • url=https://www.cnet.com/news/security-researcher-finds-cookiejacking-risk-in-ie/

Chronull (talk) 12:12, 6 September 2019 (UTC)

 Partly done: I instead added the archived website to the deadlink, where you can read its contents; it is the intended citation of the original editor. --Thinker78 (talk) 15:25, 6 September 2019 (UTC)

Smaller summary

(some duplication might need removing in the first few paragraphs if this is added near the top) A cookie is a local file a webpage can use only if that webpage (or multiple webpages open at once such as the same ad network is on multiple webpages) created it. Its a way for a webpage to remember things without having access to any files that it did not create in a certain browser dir. — Preceding unsigned comment added by 75.130.139.138 (talk) 03:01, 8 October 2019 (UTC)