Security and Cookies

• Some users don't like the idea that a Web server can write to their hard disk, however innocuously. In fact, there is no (real) danger in accepting cookies - for example, cookies cannot spread viruses.
   
  
• Users worry that cookies might be used to send secret information about them to a server. In fact, the cookie which is returned is exactly the same as that which was sent.
   
  
• Users are concerned that other Web servers might find out information about you by reading cookies set by different servers. In fact, browsers follow very strict rules to ensure that cookies are only returned to the server (and/or specific CGI program) which originally sent them.
   
  
• Users worry that Web servers can track their "click-through" behaviour using cookies. In fact, this is true, and is a potential privacy issue.
   
  
• Browsers allow the user to turn off acceptance of cookies, and some users do this. Therefore a shopping cart application cannot rely on the existence of cookies to maintain state information.

• http://home.netscape.com/newsref/std/cookie_spec.html
• http://www.illuminatus.com/cookie.fcgi
• http://www.etrust.org/
• http://catless.ncl.ac.uk/Risks/18.19.html#subj3
• http://catless.ncl.ac.uk/Risks/18.20.html#subj11