There is a great deal of misinformation about browser cookies, in regards to what their capabilities are and what they are used for.
I find it easiest to compare a cookie to a temporary visa issued by a country with strict internal transit rules for visitors, such as Burma or North Korea. On entering such a country, your visa is stamped with the time and port of entry. The Burmese junta will know which flight you arrived on (and thus where you came from) but will not be aware of any trips made before your flight. Once you have landed, your movement though the country is likely to be tracked, with new entries stamped in your visa when you enter certain provinces or militarily sensitive areas. When you leave, the visa will be given a last stamp that includes the date that you exited the country, and the Burmese will know of your immediate destination, but not of your movement after the aircraft touches down on foreign soil. No other country can read the visa, as it is written in Burmese.
Similarly, cookies are issued per domain. They can contain any information that you, the visitor, provide, and may record actions you take on the site: what pages you visit, how long you stayed, what you clicked on, etc. They can also record where you came from and where you left to (but not actions taken before or after that point). Any information that you enter into a form can be stored inside a cookie (but any information that is personally identifiable should not, as cookies are not secure). Browser and operating system information (browser version, resolution, etc) could also be included. This information is stored on the client, either temporarily (while the browser is running) or permanently, and the data held inside cookies can be checked when the user returns.
There are a few other restrictions on cookies:
- A limit of 20 cookies can be sent from any domain to the client
- Cookies can be blocked, modified, copied, or deleted by the client.
- Cookies should never be used as an absolute means of authentication.
- Cookies can contain strings or numbers, to a maximum of 4096 bytes.
- Cookies cannot be read by other domains.
Finally, cookies are threatened long-term by the advent of HTML5's
localStorage() in a later article.)