Providing convenience to the user and added value to the site owner is the purpose behind cookies. And despite much misinformation , cookies are not a serious security threat. Cookies are never interpreted or executed in any way and thus cannot be used to insert viruses or attack your system. Furthermore, since browsers generally only accept 20 cookies per site and 300 cookies total, and since browsers can limit each cookie to 4 kilobytes, cookies cannot be used to fill up someone's disk or launch other denial-of-service attacks.
However, even though cookies don't present a serious security threat, they can present a significant threat to privacy .
FOXTROT 1998 Bill Amend. Reprinted with permission of UNIVERSAL PRESS SYNDICATE. All rights reserved.
First, some people don't like the fact that search engines can remember what they previously searched for. For example, they might search for job openings or sensitive health data and don't want some banner ad tipping off their coworkers or boss next time they do a search. Besides, a search engine need not use a banner ad: a poorly designed one could display a textarea listing your most recent queries ("Jobs anywhere except at this stupid company!"; "Will my SARS infection kill my coworkers?"; etc.). A coworker could see this information if they visited the search engine for your computer or if they looked over your shoulder when you visited it.
<IMG SRC="http://some-ad-site.com/banner?data=Java+Servlets" ...>
Since the browser will make an HTTP connection to some-ad-site.com , some-ad-site.com can return a persistent cookie to the browser. Next, some-random-site.com could return an image link like this:
<IMG SRC="http://some-ad-site.com/banner" ...>
Figure 8-1. Cookie customization settings for Netscape (top) and Internet Explorer (bottom).
This trick of associating cookies with images can even be exploited through email if you use an HTML-enabled email reader that "supports" cookies and is associated with a browser. Thus, people could send you email that loads images, attach cookies to those images, and then identify you (email address and all) if you subsequently visit their Web site. Boo.
The point of this discussion is twofold: