SlideShare una empresa de Scribd logo

Cookies

Descargar como PPT, PDF
Creative Secondary School
Creative Secondary School
1 de 35
Maintaining State in PHP Part I - Cookies 1
xHTML - a ‘stateless’ environment stateless (adj.) Having no information about what occurred previously. • Most modern applications maintain state, which means that they remember what you were doing last time you ran the application, and they remember all your configuration settings. This is extremely useful because it means you can mould the application to your working habits. • Each request for a new web page is processed without any knowledge of previous pages requested or processed. 2
How do they do that? For example: A user ‘logs in’ to a web page. Once logged in, the user can browse the site while maintaining their logged in state. 3
Is PHP stateless? • Variables are destroyed as soon as the page script finishes executing. • The script can access the ‘referrer’, the address of the previous page, although this can’t really be trusted. $_SERVER['HTTP_REFERER'] • It is possible to add data to a database/text file to add persistent data, although this is not connected with a particular user… 4
Is PHP Stateless… No! • The usual way to maintain state in PHP pages is via the use of Sessions. • To understand how these work, we need to have a look at what and how cookies are.. 5
Taking the Byte Out of Cookies: Privacy, Consent, and the Web Daniel Lin Department of Computer Science University of Illinois at Urbana-Champaign Michael C. Loui Department of Electrical and Computer Engineering, and Coordinated Science Laboratory University of Illinois at Urbana-Champaign 6
Introduction • What is different about our concerns with privacy when we deal with the Internet? • Our contributions: – Difference between the collection and centralization of information. – The role of informed consent in the theory of privacy – Reasonable expectation of privacy and Internet cookies 7
Theories of Privacy • Right “to be let alone” (Warren & Brandeis) • Control of information (Fried, …) • Undocumented personal knowledge (Parent) • Privacy as restricted access (Gavison) – Secrecy – Anonymity – Solitude – Loss of privacy versus violation of privacy • Why privacy is important (Rachels, Benn) 8
Informed Consent and the Collection of Information • Disclosure • Comprehension • Voluntariness • Competence • Consent 9
Collection of Personal Information • An ethical collection of personal information causes a loss of privacy – Obtaining informed consent is sufficient but not necessary for an ethical collection of personal information • An unethical collection of personal information causes a violation of privacy – Collection of personal information is unethical when it does not comport with the reasonable expectation of privacy for this situation 10
Centralization of Information • Assembling personal information from multiple sources, originally collected for different purposes: “digital dossier” • Violation of privacy with no extra loss of privacy: – Composite portrait out of context – Unauthorized subsets of information 11
Reasonable Expectation of Privacy • Natural versus normative privacy (Moor) • Privacy in public places (Nissenbaum) – Supermarket: public place – Shopping cart: private in public? • The Internet – Home office: private place – Web access: public in private? 12
Internet Cookies • The Internet – Reasonable expectations of privacy are neither firmly rooted nor well developed • What are Internet cookies? – Internet cookies allow a Web site to gather and store information about our visit to that Web site 13
What is a Cookie? • A cookie is a small text file that is stored on a user’s computer. • Each cookie on the user’s computer is connected to a particular domain. • Each cookie be used to store up to 4kB of data. • A maximum of 20 cookies can be stored on a user’s PC per domain. 14
Example (1) 1. User sends a request for page at www.example.com for the first time. page request 15
Example (2) 2. Server sends back the page xhtml to the browser AND stores some data in a cookie on the user’s PC. xhtml cookie data 16
Example (1) 3. At the next page request for domain www.example.com, all cookie data associated with this domain is sent too. page request cookie data 17
Set a cookie setcookie(name [,value [,expire [,path [,domain [,secure]]]]]) name = cookie name value = data to store (string) expire = UNIX timestamp when the cookie expires. Default is that cookie expires when browser is closed. path = Path on the server within and below which the cookie is available on. domain = Domain at which the cookie is available for. secure = If cookie should be sent over HTTPS connection only. Default false. 18
Set a cookie - examples setcookie(‘name’,’Robert’) This command will set the cookie called name on the user’s PC containing the data Robert. It will be available to all pages in the same directory or subdirectory of the page that set it (the default path and domain). It will expire and be deleted when the browser is closed (default expire). 19
Set a cookie - examples setcookie(‘age’,’20’,time() +60*60*24*30) This command will set the cookie called age on the user’s PC containing the data 20. It will be available to all pages in the same directory or subdirectory of the page that set it (the default path and domain). It will expire and be deleted after 30 days. 20
Set a cookie - examples setcookie(‘gender’,’male’,0,’/’) This command will set the cookie called gender on the user’s PC containing the data male. It will be available within the entire domain that set it. It will expire and be deleted when the browser is closed. 21
Read cookie data • All cookie data is available through the superglobal $_COOKIE: $variable = $_COOKIE[‘cookie_name’] or $variable = $HTTP_COOKIE_VARS[‘cookie_name’]; e.g. $age = $_COOKIE[‘age’] 22
Storing an array.. • Only strings can be stored in Cookie files. • To store an array in a cookie, convert it to a string by using the serialize() PHP function. • The array can be reconstructed using the unserialize() function once it had been read back in. • Remember cookie size is limited! 23
Delete a cookie • To remove a cookie, simply overwrite the cookie with a new one with an expiry time in the past… setcookie(‘cookie_name’,’’,time()-6000) • Note that theoretically any number taken away from the time() function should do, but due to variations in local computer times, it is advisable to use a day or two. 24
To be first.. HEADER REQUESTS • As the setcookie command involves sending a HTTP header request, it must be executed before any xhtml is echoed to the browser, including whitespace. echoed whitespace before correct! setcookie incorrect. 25
Malicious Cookie Usage • There is a bit of a stigma attached to cookies – and they can be maliciously used (e.g. set via 3rd party banner ads). • The important thing to note is that some people browse with them turned off. e.g. in FF, Tools > Options > Privacy 26
The USER is in control • Cookies are stored client-side, so never trust them completely: They can be easily viewed, modified or created by a 3 rd party. • They can be turned on and off at will by the user. 27
What do Cookies Look Like? • All cookies contain the same information: – The name of the cookie – The value of the cookie – An expiration date – The path for which the cookie is valid – The domain for which the cookie is valid – A flag indicating whether the cookie requires secure transport 28
What do Cookies Look Like? • An example cookie file from a UNIX workstation using Netscape: # Netscape HTTP Cookie File # http://www.netscape.com/newsref/std/cookie_spec.html # This is a generated file! Do not edit. victory.cnn.com FALSE / FALSE 942189160 NGUserID cf1947b7-20682- 881794064-1 revenue.infi.net FALSE / FALSE 942189160 KRRC d083adf8-4235- 882047182-1 adserv.newcentury.net FALSE / FALSE 942189160 NGUserID d101991f- 10174-882047153-1 .doubleclick.net TRUE / FALSE 1920499140 id 117828a6 .illuminatus.com TRUE / FALSE 945734399 Count 1 29
Argument Against Cookies (Mayer-Schoenberger) • Cookies are stored on the user’s computer without the user’s consent or knowledge • Cookies are clandestinely and automatically transferred from the user’s computer to the Web server • Because cookies allow the Web server to set an expiration date, they violate the “accuracy” and “timeliness” principles in the European Union Directive on the Protection of Personal Data • Once the cookie is set, it is freely accessible to Web servers: FALSE 30
Morally Permissible Cookies Collection of Personal Information • Customer preferences • Online shopping 31 Mr. Smith
Immoral Uses of Cookies Centralization of Personal Information In order to measure our browsing behavior, target marketers track us over the Internet by adding cookies to the advertisement banners on so many Web pages. Is such a use of cookies ethical? Does it fit within a reasonable expectation of privacy on the Web? 32
Development of Cookie “Awareness” • Most Web browsers allow the user to configure their cookie options: Netscape Navigator Netscape Communicator 33
Summary and Conclusions • If the collection of personal information exceeds a reasonable expectation of privacy, obtaining informed consent makes such a collection ethical. If the collection of information lies within a reasonable expectation, informed consent does not seem necessary. • Internet cookies are a tool. They can be used in both morally permissible and immoral ways. • In general, Web servers cannot obtain your personal information unless you explicitly give it (e-mail address, credit card numbers, home address, phone number). • Do cookie notifications provide sufficient information for an informed choice? • Cookie notification detracts from the usability of Web browsers. How to improve? 34
What went wrong (The Cookie Concept) •Introduced for good reason: Helping users access their favorite web sites easily from the second time onwards. •Sometimes used by unscrupulous entities for other reasons: It happened that some marketing firms tried to use this to access private information for advertising campaigns. 35

Recomendados

Cookies & Session
Cookies & SessionCookies & Session
Cookies & Session
university of education,Lahore
 
Learning jQuery in 30 minutes
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
Simon Willison
 
PHP - Introduction to PHP Forms
PHP - Introduction to PHP FormsPHP - Introduction to PHP Forms
PHP - Introduction to PHP Forms
Vibrant Technologies & Computers
 
Ajax ppt - 32 slides
Ajax ppt - 32 slidesAjax ppt - 32 slides
Ajax ppt - 32 slides
Smithss25
 
Ajax presentation
Ajax presentationAjax presentation
Ajax presentation
Bharat_Kumawat
 
PHP - Introduction to PHP AJAX
PHP - Introduction to PHP AJAXPHP - Introduction to PHP AJAX
PHP - Introduction to PHP AJAX
Vibrant Technologies & Computers
 
Css animation
Css animationCss animation
Css animation
Aaron King
 
Java servlets
Java servletsJava servlets
Java servlets
lopjuan
 

Recomendados

Cookies & Session
Cookies & SessionCookies & Session
Cookies & Session
university of education,Lahore
 
Learning jQuery in 30 minutes
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
Simon Willison
 
PHP - Introduction to PHP Forms
PHP - Introduction to PHP FormsPHP - Introduction to PHP Forms
PHP - Introduction to PHP Forms
Vibrant Technologies & Computers
 
Ajax ppt - 32 slides
Ajax ppt - 32 slidesAjax ppt - 32 slides
Ajax ppt - 32 slides
Smithss25
 
Ajax presentation
Ajax presentationAjax presentation
Ajax presentation
Bharat_Kumawat
 
PHP - Introduction to PHP AJAX
PHP - Introduction to PHP AJAXPHP - Introduction to PHP AJAX
PHP - Introduction to PHP AJAX
Vibrant Technologies & Computers
 
Css animation
Css animationCss animation
Css animation
Aaron King
 
Java servlets
Java servletsJava servlets
Java servlets
lopjuan
 
jQuery from the very beginning
jQuery from the very beginningjQuery from the very beginning
jQuery from the very beginning
Anis Ahmad
 
Javascript
JavascriptJavascript
Javascript
Manav Prasad
 
新浪微博Feed服务架构
新浪微博Feed服务架构新浪微博Feed服务架构
新浪微博Feed服务架构
XiaoJun Hong
 
JSON and XML
JSON and XMLJSON and XML
JSON and XML
People Strategists
 
Json
JsonJson
Json
Shyamala Prayaga
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
HTML Forms
HTML FormsHTML Forms
HTML Forms
Nisa Soomro
 
JavaScript
JavaScriptJavaScript
JavaScript
Vidyut Singhania
 
JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays
WebStackAcademy
 
jQuery
jQueryjQuery
jQuery
Dileep Mishra
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
Arulmurugan Rajaraman
 
Ajax
AjaxAjax
Ajax
Tech_MX
 
Mysql
MysqlMysql
Mysql
Rathan Raj
 
Php sessions & cookies
Php sessions & cookiesPhp sessions & cookies
Php sessions & cookies
baabtra.com - No. 1 supplier of quality freshers
 
Ajax Ppt 1
Ajax Ppt 1Ajax Ppt 1
Ajax Ppt 1
JayaPrakash.m
 
Ajax and Jquery
Ajax and JqueryAjax and Jquery
Ajax and Jquery
People Strategists
 
Introduction to Python Celery
Introduction to Python CeleryIntroduction to Python Celery
Introduction to Python Celery
Mahendra M
 
Web development using HTML and CSS
Web development using HTML and CSSWeb development using HTML and CSS
Web development using HTML and CSS
SiddhantSingh980217
 
Asynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingAsynchronous JavaScript Programming
Asynchronous JavaScript Programming
Haim Michael
 
Html form tag
Html form tagHtml form tag
Html form tag
shreyachougule
 
Secondary school uniforms and accessorise catalogue 2014
Secondary school uniforms and accessorise catalogue 2014Secondary school uniforms and accessorise catalogue 2014
Secondary school uniforms and accessorise catalogue 2014
Rachel Hickson
 
Learning Science in Secondary Education using Flipped Learning methodology an...
Learning Science in Secondary Education using Flipped Learning methodology an...Learning Science in Secondary Education using Flipped Learning methodology an...
Learning Science in Secondary Education using Flipped Learning methodology an...
João Sousa
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

jQuery from the very beginning
jQuery from the very beginningjQuery from the very beginning
jQuery from the very beginning
 
Javascript
JavascriptJavascript
Javascript
 
新浪微博Feed服务架构
新浪微博Feed服务架构新浪微博Feed服务架构
新浪微博Feed服务架构
 
JSON and XML
JSON and XMLJSON and XML
JSON and XML
 
Json
JsonJson
Json
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
HTML Forms
HTML FormsHTML Forms
HTML Forms
 
JavaScript
JavaScriptJavaScript
JavaScript
 
JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays JavaScript - Chapter 10 - Strings and Arrays
JavaScript - Chapter 10 - Strings and Arrays
 
jQuery
jQueryjQuery
jQuery
 
jQuery for beginners
jQuery for beginnersjQuery for beginners
jQuery for beginners
 
Ajax
AjaxAjax
Ajax
 
Mysql
MysqlMysql
Mysql
 
Php sessions & cookies
Php sessions & cookiesPhp sessions & cookies
Php sessions & cookies
 
Ajax Ppt 1
Ajax Ppt 1Ajax Ppt 1
Ajax Ppt 1
 
Ajax and Jquery
Ajax and JqueryAjax and Jquery
Ajax and Jquery
 
Introduction to Python Celery
Introduction to Python CeleryIntroduction to Python Celery
Introduction to Python Celery
 
Web development using HTML and CSS
Web development using HTML and CSSWeb development using HTML and CSS
Web development using HTML and CSS
 
Asynchronous JavaScript Programming
Asynchronous JavaScript ProgrammingAsynchronous JavaScript Programming
Asynchronous JavaScript Programming
 
Html form tag
Html form tagHtml form tag
Html form tag
 

Destacado

Research on acid burn victims in Pakistan
Research on acid burn victims in Pakistan Research on acid burn victims in Pakistan
Research on acid burn victims in Pakistan
Ahmed Jalal
 
Depression and Inclusion in Secondary and Middle School
Depression and Inclusion in Secondary and Middle SchoolDepression and Inclusion in Secondary and Middle School
Depression and Inclusion in Secondary and Middle School
jordanswain
 

Destacado (8)

Secondary school uniforms and accessorise catalogue 2014
Secondary school uniforms and accessorise catalogue 2014Secondary school uniforms and accessorise catalogue 2014
Secondary school uniforms and accessorise catalogue 2014
 
Learning Science in Secondary Education using Flipped Learning methodology an...
Learning Science in Secondary Education using Flipped Learning methodology an...Learning Science in Secondary Education using Flipped Learning methodology an...
Learning Science in Secondary Education using Flipped Learning methodology an...
 
Influence of curriculum characteristics on empowerment of talented secondary ...
Influence of curriculum characteristics on empowerment of talented secondary ...Influence of curriculum characteristics on empowerment of talented secondary ...
Influence of curriculum characteristics on empowerment of talented secondary ...
 
Adolescence
AdolescenceAdolescence
Adolescence
 
Research on acid burn victims in Pakistan
Research on acid burn victims in Pakistan Research on acid burn victims in Pakistan
Research on acid burn victims in Pakistan
 
Depression and Inclusion in Secondary and Middle School
Depression and Inclusion in Secondary and Middle SchoolDepression and Inclusion in Secondary and Middle School
Depression and Inclusion in Secondary and Middle School
 
Games Based Learning in Secondary Schools
Games Based Learning in Secondary SchoolsGames Based Learning in Secondary Schools
Games Based Learning in Secondary Schools
 
Making Games Based Learning Work in Secondary Schools
Making Games Based Learning Work in Secondary SchoolsMaking Games Based Learning Work in Secondary Schools
Making Games Based Learning Work in Secondary Schools
 

Similar a Cookies

Web app development_cookies_sessions_14
Web app development_cookies_sessions_14Web app development_cookies_sessions_14
Web app development_cookies_sessions_14
Hassen Poreya
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
David Johansson
 
Ch4(saving state with cookies and query strings)
Ch4(saving state with cookies and query strings)Ch4(saving state with cookies and query strings)
Ch4(saving state with cookies and query strings)
Chhom Karath
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Sukrit Gupta
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
Priyanka Aash
 
Cookie replay attack unit wise presentation
Cookie replay attack unit wise presentationCookie replay attack unit wise presentation
Cookie replay attack unit wise presentation
Nilu Desai
 

Similar a Cookies (20)

Internet Cookies
Internet CookiesInternet Cookies
Internet Cookies
 
Web app development_cookies_sessions_14
Web app development_cookies_sessions_14Web app development_cookies_sessions_14
Web app development_cookies_sessions_14
 
Sessions and cookies
Sessions and cookiesSessions and cookies
Sessions and cookies
 
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
OWASP AppSec USA 2017: Cookie Security – Myths and Misconceptions by David Jo...
 
16 cookies
16 cookies16 cookies
16 cookies
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
Ch4(saving state with cookies and query strings)
Ch4(saving state with cookies and query strings)Ch4(saving state with cookies and query strings)
Ch4(saving state with cookies and query strings)
 
PHP COOKIES AND SESSIONS
PHP COOKIES AND SESSIONSPHP COOKIES AND SESSIONS
PHP COOKIES AND SESSIONS
 
owncloud overview
owncloud overview owncloud overview
owncloud overview
 
Data Mining - GCPCUG May 2011
Data Mining - GCPCUG May 2011Data Mining - GCPCUG May 2011
Data Mining - GCPCUG May 2011
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeNext generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
Mini-Training: To cache or not to cache
Mini-Training: To cache or not to cacheMini-Training: To cache or not to cache
Mini-Training: To cache or not to cache
 
Alluxio Presentation at Strata San Jose 2016
Alluxio Presentation at Strata San Jose 2016Alluxio Presentation at Strata San Jose 2016
Alluxio Presentation at Strata San Jose 2016
 
Genealogy in the Cloud - NGS 2015
Genealogy in the Cloud - NGS 2015Genealogy in the Cloud - NGS 2015
Genealogy in the Cloud - NGS 2015
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress HostingWhat is Nginx and Why You Should to Use it with Wordpress Hosting
What is Nginx and Why You Should to Use it with Wordpress Hosting
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Cookie replay attack unit wise presentation
Cookie replay attack unit wise presentationCookie replay attack unit wise presentation
Cookie replay attack unit wise presentation
 

Cookies

  • 1. Maintaining State in PHP Part I - Cookies 1
  • 2. xHTML - a ‘stateless’ environment stateless (adj.) Having no information about what occurred previously. • Most modern applications maintain state, which means that they remember what you were doing last time you ran the application, and they remember all your configuration settings. This is extremely useful because it means you can mould the application to your working habits. • Each request for a new web page is processed without any knowledge of previous pages requested or processed. 2
  • 3. How do they do that? For example: A user ‘logs in’ to a web page. Once logged in, the user can browse the site while maintaining their logged in state. 3
  • 4. Is PHP stateless? • Variables are destroyed as soon as the page script finishes executing. • The script can access the ‘referrer’, the address of the previous page, although this can’t really be trusted. $_SERVER['HTTP_REFERER'] • It is possible to add data to a database/text file to add persistent data, although this is not connected with a particular user… 4
  • 5. Is PHP Stateless… No! • The usual way to maintain state in PHP pages is via the use of Sessions. • To understand how these work, we need to have a look at what and how cookies are.. 5
  • 6. Taking the Byte Out of Cookies: Privacy, Consent, and the Web Daniel Lin Department of Computer Science University of Illinois at Urbana-Champaign Michael C. Loui Department of Electrical and Computer Engineering, and Coordinated Science Laboratory University of Illinois at Urbana-Champaign 6
  • 7. Introduction • What is different about our concerns with privacy when we deal with the Internet? • Our contributions: – Difference between the collection and centralization of information. – The role of informed consent in the theory of privacy – Reasonable expectation of privacy and Internet cookies 7
  • 8. Theories of Privacy • Right “to be let alone” (Warren & Brandeis) • Control of information (Fried, …) • Undocumented personal knowledge (Parent) • Privacy as restricted access (Gavison) – Secrecy – Anonymity – Solitude – Loss of privacy versus violation of privacy • Why privacy is important (Rachels, Benn) 8
  • 9. Informed Consent and the Collection of Information • Disclosure • Comprehension • Voluntariness • Competence • Consent 9
  • 10. Collection of Personal Information • An ethical collection of personal information causes a loss of privacy – Obtaining informed consent is sufficient but not necessary for an ethical collection of personal information • An unethical collection of personal information causes a violation of privacy – Collection of personal information is unethical when it does not comport with the reasonable expectation of privacy for this situation 10
  • 11. Centralization of Information • Assembling personal information from multiple sources, originally collected for different purposes: “digital dossier” • Violation of privacy with no extra loss of privacy: – Composite portrait out of context – Unauthorized subsets of information 11
  • 12. Reasonable Expectation of Privacy • Natural versus normative privacy (Moor) • Privacy in public places (Nissenbaum) – Supermarket: public place – Shopping cart: private in public? • The Internet – Home office: private place – Web access: public in private? 12
  • 13. Internet Cookies • The Internet – Reasonable expectations of privacy are neither firmly rooted nor well developed • What are Internet cookies? – Internet cookies allow a Web site to gather and store information about our visit to that Web site 13
  • 14. What is a Cookie? • A cookie is a small text file that is stored on a user’s computer. • Each cookie on the user’s computer is connected to a particular domain. • Each cookie be used to store up to 4kB of data. • A maximum of 20 cookies can be stored on a user’s PC per domain. 14
  • 15. Example (1) 1. User sends a request for page at www.example.com for the first time. page request 15
  • 16. Example (2) 2. Server sends back the page xhtml to the browser AND stores some data in a cookie on the user’s PC. xhtml cookie data 16
  • 17. Example (1) 3. At the next page request for domain www.example.com, all cookie data associated with this domain is sent too. page request cookie data 17
  • 18. Set a cookie setcookie(name [,value [,expire [,path [,domain [,secure]]]]]) name = cookie name value = data to store (string) expire = UNIX timestamp when the cookie expires. Default is that cookie expires when browser is closed. path = Path on the server within and below which the cookie is available on. domain = Domain at which the cookie is available for. secure = If cookie should be sent over HTTPS connection only. Default false. 18
  • 19. Set a cookie - examples setcookie(‘name’,’Robert’) This command will set the cookie called name on the user’s PC containing the data Robert. It will be available to all pages in the same directory or subdirectory of the page that set it (the default path and domain). It will expire and be deleted when the browser is closed (default expire). 19
  • 20. Set a cookie - examples setcookie(‘age’,’20’,time() +60*60*24*30) This command will set the cookie called age on the user’s PC containing the data 20. It will be available to all pages in the same directory or subdirectory of the page that set it (the default path and domain). It will expire and be deleted after 30 days. 20
  • 21. Set a cookie - examples setcookie(‘gender’,’male’,0,’/’) This command will set the cookie called gender on the user’s PC containing the data male. It will be available within the entire domain that set it. It will expire and be deleted when the browser is closed. 21
  • 22. Read cookie data • All cookie data is available through the superglobal $_COOKIE: $variable = $_COOKIE[‘cookie_name’] or $variable = $HTTP_COOKIE_VARS[‘cookie_name’]; e.g. $age = $_COOKIE[‘age’] 22
  • 23. Storing an array.. • Only strings can be stored in Cookie files. • To store an array in a cookie, convert it to a string by using the serialize() PHP function. • The array can be reconstructed using the unserialize() function once it had been read back in. • Remember cookie size is limited! 23
  • 24. Delete a cookie • To remove a cookie, simply overwrite the cookie with a new one with an expiry time in the past… setcookie(‘cookie_name’,’’,time()-6000) • Note that theoretically any number taken away from the time() function should do, but due to variations in local computer times, it is advisable to use a day or two. 24
  • 25. To be first.. HEADER REQUESTS • As the setcookie command involves sending a HTTP header request, it must be executed before any xhtml is echoed to the browser, including whitespace. echoed whitespace before correct! setcookie incorrect. 25
  • 26. Malicious Cookie Usage • There is a bit of a stigma attached to cookies – and they can be maliciously used (e.g. set via 3rd party banner ads). • The important thing to note is that some people browse with them turned off. e.g. in FF, Tools > Options > Privacy 26
  • 27. The USER is in control • Cookies are stored client-side, so never trust them completely: They can be easily viewed, modified or created by a 3 rd party. • They can be turned on and off at will by the user. 27
  • 28. What do Cookies Look Like? • All cookies contain the same information: – The name of the cookie – The value of the cookie – An expiration date – The path for which the cookie is valid – The domain for which the cookie is valid – A flag indicating whether the cookie requires secure transport 28
  • 29. What do Cookies Look Like? • An example cookie file from a UNIX workstation using Netscape: # Netscape HTTP Cookie File # http://www.netscape.com/newsref/std/cookie_spec.html # This is a generated file! Do not edit. victory.cnn.com FALSE / FALSE 942189160 NGUserID cf1947b7-20682- 881794064-1 revenue.infi.net FALSE / FALSE 942189160 KRRC d083adf8-4235- 882047182-1 adserv.newcentury.net FALSE / FALSE 942189160 NGUserID d101991f- 10174-882047153-1 .doubleclick.net TRUE / FALSE 1920499140 id 117828a6 .illuminatus.com TRUE / FALSE 945734399 Count 1 29
  • 30. Argument Against Cookies (Mayer-Schoenberger) • Cookies are stored on the user’s computer without the user’s consent or knowledge • Cookies are clandestinely and automatically transferred from the user’s computer to the Web server • Because cookies allow the Web server to set an expiration date, they violate the “accuracy” and “timeliness” principles in the European Union Directive on the Protection of Personal Data • Once the cookie is set, it is freely accessible to Web servers: FALSE 30
  • 31. Morally Permissible Cookies Collection of Personal Information • Customer preferences • Online shopping 31 Mr. Smith
  • 32. Immoral Uses of Cookies Centralization of Personal Information In order to measure our browsing behavior, target marketers track us over the Internet by adding cookies to the advertisement banners on so many Web pages. Is such a use of cookies ethical? Does it fit within a reasonable expectation of privacy on the Web? 32
  • 33. Development of Cookie “Awareness” • Most Web browsers allow the user to configure their cookie options: Netscape Navigator Netscape Communicator 33
  • 34. Summary and Conclusions • If the collection of personal information exceeds a reasonable expectation of privacy, obtaining informed consent makes such a collection ethical. If the collection of information lies within a reasonable expectation, informed consent does not seem necessary. • Internet cookies are a tool. They can be used in both morally permissible and immoral ways. • In general, Web servers cannot obtain your personal information unless you explicitly give it (e-mail address, credit card numbers, home address, phone number). • Do cookie notifications provide sufficient information for an informed choice? • Cookie notification detracts from the usability of Web browsers. How to improve? 34
  • 35. What went wrong (The Cookie Concept) •Introduced for good reason: Helping users access their favorite web sites easily from the second time onwards. •Sometimes used by unscrupulous entities for other reasons: It happened that some marketing firms tried to use this to access private information for advertising campaigns. 35

Notas del editor

  1. Some browsers don’t supply a referrer address, and in any case it can be easily spoofed so should never really be trusted!
  2. 1. What is different about our concerns for the Internet? Documented concerns about privacy have been around for at least 100 years (since 1890 in Warren and Brandeis Harvard Law Review article). What is different is the scale of information and the ease with which is moves (both collected and released) on the Internet. Internet transactions unlike real world transactions have not been around long enough for the public to know the impact. An additional setback is that the general public does not understand technology. A good way of saying this is that the public has not yet developed a reasonable expectation of privacy for transactions on the Web. 2. Collection and centralization of information There are at least two types of manipulation of information which occur on the Internet- collection and centralization. We will see how differently these types of information implementation can affect our privacy. 3. Role of Informed Consent Concept of informed consent is well developed in the field of medical ethics . We extend its boundaries here and see how it is a useful tool for privacy discussions. 4. Reasonable expectation of privacy and Cookies Explore Cookies and offer an interpretation of reasonable expectation of privacy for them
  3. 1. Privacy as the right “to be let alone” If Alice clubs Bob on the head with a baseball bat, she has not invaded his privacy. Yet she has not let Bob alone. 2. Privacy as control of information If Alice tells Bob about Charles’s smoking habit, Charles suffers no loss of privacy because his smoking habit is widely known. But he has no control of this information. 3. Privacy as Undocumented Personal Knowledge Any personal information which can be found in public documents such as newspapers and magazines cannot cause violations of privacy. Alice is unknowingly photographed sunbathing nude on her private beach. The photographed is published in various magazines. According to this definition of privacy, the next time someone sees Alice nude, she will not lose any privacy. 4. Privacy as Restricted Access Secrecy- extent to which we are known to others. Anonymity- extent to which we are the subject of others’ attention. Solitude- extent to which others have physical access to us. Loss of privacy can be good: lower auto insurance, leniency from courts. 5. If time, discuss why privacy is important (Rachels- social context for relations)
  4. Segue from previous slide: When, then, is a loss of privacy a violation of privacy? 1. Disclosure All pertinent information must be disclosed to the subject (how and why the information is being collected) 2. Comprehension Subject understands risks and benefits of revealing information 3. Voluntariness Subject is under no pressure of duress to reveal the information 4. Competence Subject takes responsibility for releasing information 5. Consent Subject is given a choice whether to reveal the information
  5. To summarize, if we are uncertain whether a collection of information causes a violation of privacy- that is, if we are uncertain of the reasonable expectations of privacy for a certain situation, obtaining informed consent will make the collection ethical.
  6. Note that the data to be stored must always be a string…
  7. Note that the data to be stored must always be a string…
  8. With PHP => version 4.1, the $_COOKIE superglobal is the one to go for, otherwise 2 nd option.
  9. Let’s look at the first line, victory.cnn.com The name of this cookie is NGUserID The value of this cookie is cf1947b7-20682-881794064-1 The expiration date is 942189160 The valid path is / (starting from the root) The valid domain is victory.cnn.com The secure transport flag is FALSE CNN probably uses this cookie to access a database of information about this user, cf1947b7-20682-881794064-1 , to access a database of information accumulated about this user.
  10. Let’s look at the first line, victory.cnn.com The name of this cookie is NGUserID The value of this cookie is cf1947b7-20682-881794064-1 The expiration date is 942189160 The valid path is / (starting from the root) The valid domain is victory.cnn.com The secure transport flag is FALSE CNN probably uses this cookie to access a database of information about this user, cf1947b7-20682-881794064-1 , to access a database of information accumulated about this user.
  11. Mayer-Schoenberger presents four reasons why cookies are an invasion of our privacy. 1. As we have seen, cookie are just a text file stored on the hard drive by your web browser. Technically, this is no different from cache files, temporary files, or log files which are stored on our hard drive without our knowledge. 2. Typical computer user is unaware of much information which is transferred to other machines. Web page visits always reveal: IP address Current time Previous Web page visited 3. This argument mistakes the tool for the use. The expiration date allows the realization of the accuracy and timeliness principles. It also allows for abuse of these principles.
  12. Compare morally permissible uses of cookies to “doing good business”. These cookies are not unlike the memory of the Mr. Smith, the storekeeper of the local grocery store. The more your visit, the more Mr. Smith remembers about you, the better service he will give you, the more often you will return. Note that Mr. Smith can do good business with you without ever knowing your name. Same with cookies.
  13. 1. Older Web browsers did not have a large choice of cookie options. Only one option- whether you are notified when a Web page you visit wants to set a cookie. Interesting to note that you could not disable cookies at this time. 2. During the research of this topic, the new Netscape Communicator came out. Distinguishes between our ethical and unethical uses of cookies. Includes an option to disable cookies entirely.