Fork me on Github
Fork me on Github

Joe Dog Software

Proudly serving the Internets since 1999

up arrow No, A Website Doesn’t Write Cookies To Your Hard Drive

Remember Netscape Navigator? Some of you might have called it Nutscrape Irritator. Ha Ha. It’s funny because it’s true.

Well back in the day, Netscape was the shizzle. All of a sudden this stupid gopher thing was filled with images and colors. We were all happily browsing in a 3D colorful world when the lamestream media “discovered” Netscape. They poked around and saw the names of sites they had visited. The names were associated with weird strings they didn’t understand.

“Hmmm, what’s this?” an intrepid cub reporter asked?

“Oh, those? They’re called cookies.”

“How did they get here?”

Now Your JoeDog doesn’t know the how that question was answered back in 1995 but fsck that guy. Since the moment some wanna-be tech writer discovered cookies, we’ve been dealing with cookie hysteria. Someone is writing things to our hard drive! Yeah, you know who’s doing that? You are.

Here’s the problem: Hypertext transfer protocol (HTTP) is stateless. You send a request to a server and it sends something back. The server doesn’t hear from you until you make another request. There’s nothing in each ensuing request to positively identify you as the person who made that last request. To get around this problem, Netscape invented the magic cookie.

How does it work? We’ll nerdsplain after the jump….

For all it’s pretty pictures, snazzy colors and moving parts, the web is really just a bunch of text-based client requests and server replies. You never actually see these requests when you browse the web. They are messages that pass between your browser and a server. When you click a link, you send a request which looks similar to this:

GET / HTTP/1.0
Accept: */*
User-Agent: Googlebot   <= Ha Ha! Somebody’s forging the Googlebot!
Connection: close

Here’s what that request says to the server, “Hey, would you mind giving me the root index page. I’ll accept any type of encoding you got.”

Then the server’s all “Yeah, sure, here’s your page. Would you mind if we stay in touch? I’ll send you an identifier so I know who you are.”

HTTP/1.1 200 OK
Date: Fri, 28 Nov 2014 16:04:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: __cfduid=dab63c1769c672d055a57e5f684b339291417190680; expires=Sat, 28-Nov-15 16:04:40 GMT; path=/;; HttpOnly
Vary: Accept-Encoding,Cookie

See that thing in bold text? That’s a cookie. It’s just one line of the key-value pairs that comprise an HTTP response header.  At this point, you have a choice. You can keep the cookie until November 28, 2015 and return it to whenever you visit the site OR you can just ignore it. If you keep the cookie, then you write it to your hard drive.  The web server has no control over that cookie once it puts it in the header.

At this point, you can return the cookie with each ensuing request or you can ignore it. If you choose to play by the rules, then your ensuing requests will look like this:

GET / HTTP/1.1
Cookie: __cfduid=d37b6c32c6d5e159582f63e71ac3b47a11417191605
Accept: */*
Accept-Encoding: gzip
User-Agent: Googlebot
Connection: close

When it received that request, my server was all “Hey, I know you — the smarmy guy who complains too much.” It knows me better than I know myself….