LanguagesSo, You Want A Cookie, Huh?

So, You Want A Cookie, Huh?

Developer.com content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.


Use these to jump around or read it all…

[Cookies, Joe?] [What Do Cookies Do?]
[Do You Hand Out Cookies On Goodies, Joe?]
[What Is A Cookie?] [Are Cookies Bad?]
[How Do I Pass Out Cookies?]
[What About Nieman Marcus?!]

— Portions of this tutorial have been re-written and expanded —
Thank you to those in the know who caught some of the unintentionally misleading information.
This version was posted on 6/18/97.

     A cookie, huh? Either you are a real Net-head or you have stopped by to get the ingredients for that Nieman Marcus cookie that has been shuffled around the Net. If you’re actually looking for a food item — you’re out of luck. (Okay, maybe I explain the cookie story at the very end of the tutorial….) This is a tutorial dealing with electronic cookies.

Cookies, Joe?

     Yeah. Cookies are a small computer-generated text file (no larger than 4K) that you receive when you stop into certain sites. Unless you have made a point of setting your browser’s preferences so you do not accept cookies, or have installed a JavaScript to do that same, you probably have a cookie sitting in your browser’s directory right now. The use of cookies is quite widespread.

     I have heard a few different reasons why the little files servers and browsers are using are called cookies. Each is probably less creditable than the last but, for entertainment purposes, here are a few.

  1. In UNIX, files of this type had a name something like k00k.z. Thus the strange pronunciation as “cookie” (uh-huh…).
  2. The guy who got really really really rich by creating Netscape digs these particular chunky cookies–thus the name (hmmm…).
  3. Because distributing cookies is like leaving crumbs all over (uh…).
  4. Just because (probably the most truth in this one…).
But Wait! (Added 6/28/97)

Ben Buckner offers what sounds as if it could be a true story:

     About the term’s origin, it’s a very old bit of programmer slang (usually) for a piece of data stored to communicate between two processes, typically separated in time, and often as some kind of flag. The fuller form is “magic cookie.” I know I’ve heard it used as far back as the late ’80s anyway. The real defining point of the magic cookie is that some part of the data is unique to the process(es) so that the receiver can ensure that it’s getting the message from the expected source. In the HTTP cookie, the server domain name serves that purpose, though in this case the client actually performs the verification to prevent server-based hanky-panky. I’ve heard that the term “magic cookie” was originally coined in reference to one of those old adventure games (perhaps “Adventure” itself) in which you had to give some character a magic cookie to get something from it (analogous to cookie verification), but that’s just a vague memory.

     Eh… I’ll buy it.


What Do Cookies Do?

     They themselves do nothing. Please do not be concerned that a virus or an evil program of some sort has been placed on your computer. The cookie is a text file. It is not executable. That means it can’t run like a program.

     The cookie was placed on your machine because you gave the server placing the cookie access to that section of your computer. Don’t be alarmed. You have to give permission. Without it, you couldn’t display any WWW files or pictures. (I am talking a SLIP or a PPP connection to the Internet here — AOL is a different story. You are not connected directly to the Internet on AOL.). And no, the server does not have access to other sections of your computer. Contrary to what some believe, HTTP servers cannot go into your computer and reconfigure unless you allow it. Again, don’t be alarmed. Chances are very, very slim you allowed it by mistake.

     But, as I said above, you do have the ability, by going into your browser’s preferences, to disallow the placement of cookie files. So, how does your computer know to allow all the regular image and text files, but no cookie files. Well… the file’s named “cookie.” Easy enough.

Getting Back To Cookies…

     Remember that a cookie is used almost as a “tag” on your computer. You know — like the “tag” bears on those Saturday morning wildlife shows that play right before the football games. That “tag” holds information that the server that gave it to you would like to know, such as:
  • How many times your computer has stopped in.
    The server may post to a page a message welcoming you back for the ##th time.
  • What your computer did while you were in the site.
    Let’s say you go into a shopping site. You order six things from four different pages. The cookie records the purchase and the price. At the end, you click a button and your total is displayed. In addition, when you return, the server knows you have purchased before and may then send you directly to items you are interested in or offer a special as a return customer. You’ll often hear this type of cookie usage referred to as a “Shopping Cart.”
  • Keep track of a special name and password.
    No, I do NOT mean that the cookie has the ability to grab your actual server-side name and password. Let’s say you join up with a sports page, and to get very fast stats results on the games, you need to pay a bit of money. This is common. After you’ve paid the money, you are given a code word and password to log in with. After you log in the first time, those two bits of information are posted to the cookie. In the future you can then enter back into the special site without having to fill out the login form again and again. Plus, your favorite team’s name may also be added so that you are taken straight to the section you want without clicking.
     Please remember that the cookie denotes your computer, not you. The server that uses cookies has no idea who you actually are unless you tell them by offering your name or e-mail address.


Do You Hand Out Cookies on Goodies, Joe?

     Not really…. You see those advertising banners at the top of the pages? I use a rather expensive program to keep track of them. That program ensures that when you log into a new page, you get a new banner. In order for that to happen, I assign every page a code word. This page’s code word is “flook.” In order to get you a new banner on each page, that little program needs to keep track of the code words. It does it by placing the current page’s code word in your cookie file. Then, when you go to the next page, if the code word doesn’t match, you get a new banner.
     So, do I use cookies? No. Do I use your cookie file? Yes. I am gathering nothing from you. I am only using your cookie file to keep track of code words.
     You see, I don’t sell anything to the people who stop by. Everything on my site is free for the taking. Yes, I could place full cookies and use them for simple return visits data, but none of my advertisers have ever cared to know that.

     Another reason I don’t tag your computer is that it makes some people nervous. I don’t want that.

     But I guess the best reason is that I just don’t need to do it. You see, every time you request files from my server or any server, the path back to your computer is recorded. It has to be. Without knowing where to send the files you request, you’d never get them. If you have a Web site, you do the same thing.

     (Before someone explains to me that there are anonymous surfing sites out there, please remember that although the site that offers the information may not get the actual path to your computer, the anonymous surfing server does. It has to or you would never get the file. You’re never going to do this totally anonymously.)

     All the paths back to all the computers my server recorded are held in a file. Usually the file is called “logs.” You have one of these yourself. You just may not have access. What I do is use a little program (it cost $500) to take the contents of the log files and jumble them into a useable form. This is what I get without using any cookies and just looking at my log files:



Total completed requests: 170 240 (88 879)
Average completed requests per day: 11 869 (12 697)
Total failed requests: 1 425 (752)
Total redirected requests: 3 007 (1 593)
Number of distinct files requested: 89 (86)
Number of distinct hosts served: 24 258 (13 456)
Number of new hosts served in last 7 days: 12 227
Corrupt logfile lines: 172
Unwanted logfile entries: 2
Total data transferred: 1 016 Mbytes (537 710 kbytes)
Average data transferred per day: 72 515 kbytes (76 816 kbytes)

etc, etc…


Domain Report

Printing all domains, sorted by amount of traffic.


#reqs: %bytes: domain
—– —— ——
38409: 21.74%: .com (Commercial, mainly USA)
35007: 20.82%: [unresolved addresses]
31507: 18.54%: .net (Network)
30149: 18.06%: .edu (USA Educational)
5941: 3.58%: .ca (Canada)
3301: 1.99%: .uk (United Kingdom)
2636: 1.51%: .au (Australia)
2509: 1.41%: .fr (France)
2221: 1.38%: .se (Sweden)
1808: 1.01%: .nl (Netherlands)
1594: 0.86%: .us (United States)
1191: 0.74%: .no (Norway)
1153: 0.65%: .gov (USA Government)
1069: 0.65%: .jp (Japan)
etc, etc…



     This is simple enough information that I can give advertisers good general information about the amount of traffic that comes through my site and from where they came. I don’t know a darn thing about any one computer or person specifically, just the total population.

     In case you’re wondering, as of 6/97, the HTML Goodies site is bringing in between 6500 and 7000 different surfers per day. Those surfers look at an average of between 35,000 and 42,000 different pages. Do some quick math and you get that the Goodies site offers over 1.1 million page views per month by close to a quarter million separate people.

(Note: as of 4/27/99, the HTML Goodies site is averaging 25,139 visitors per day.)      Midweek is the heaviest usage time. The lowest surf time is weekend days, and the most popular time for surfing Goodies is lunchtime and early evening before 8PM.


What Is A Cookie?

     Well, you can look at your own if you’d like. My guess is that if you’ve done any kind of surfing into any major sites like ESPN or WebCrawler you’ve received a cookie.

Where would I find my cookie?

     You’ll need to travel into the guts of your computer to find it. It will be somewhere in your browser’s directory. Look at the entire directory first. In later models it’ll be sitting at the top level… and yes… it’ll be named “cookie.” In earlier model browsers, you’ll find it in your cache. You could also do a search on your hard drive for “cookie.” If you can’t find it, no problem. Here’s what mine looks like. I just cut and pasted it from my BRAND NEW PENTIUM 200MMX!! WOO HOO!




# Netscape HTTP Cookie File

# http://www.netscape.com/newsref/std
# /cookie_spec.html

# This is a generated file! Do not edit.

.sportszone.com TRUE /FALSE 876509359

.netscape.com TRUE /FALSE 946684799
NETSCAPE_ID 1000e010,138f8fd5
www.webCrawler.com FALSE /
FALSE 852076799
webcrawlerad 46162



What It All Means

     I dunno. No, really — I dunno. It’s fairly obvious who has offered a me a cookie. I got one from Sportszone and one from Webcrawler. The big long numbers are computer stuff. Some have told me they’re dates. They could very well be.


Update (7/14/97) from Sumudu Fernando

Hi, Joe.

     I’ve been a visitor to your site for a long time now, and I’d like to clear up the issue about those long numbers in the cookie file. Those numbers are not put there by CGI, but by JavaScripts. You see, the numbers are expiration dates. They are so long and look nothing like dates because if you ask a JavaScript to get the current date, add a year so the cookie will remain for a year, and put it in the cookie, the script writes down the amount of milli-seconds between the expiration date and January 1, 1970. I hope this helps.


Are Cookies Bad?

     I guess that depends on whom you speak to.

     My guess is that this concept of cookie trading is very new to many of you. But to be fair, the use of cookies does infringe on privacy. The server does know if someone stopped by before and knows what that person did while they were there.

     If you haven’t taken this tone from me yet, I don’t believe cookies are all that awful. No, I don’t use them, but I also don’t mind someone using them on me. Someone with far more knowledge than me might prove me wrong, but I don’t think we can expect to move around public phone lines and personal servers totally anonymously.

     Let’s look at some of the actual concerns people have written to me about cookies. I will comment. I welcome yours also.

  • The people know I’m in their site.
    Yes, and K-Mart knows you’re in their store. However, you’re not being videotaped in a WWW server. You are in a lot of K-Marts.
  • The server knows what I’m doing when I’m there.
    You bet. Where else, other than your home, can you have complete domain over all that is inside, taking whatever you want, while remaining totally anonymous?
  • They know who I am.
    To a point. Your login or e-mail login may be gathered because it’s listed in the browser’s general information. But it’s not gathered by the cookie. The cookie can’t do that. An applet can, and then it can be written to the cookie. This is a bit unnerving, I agree. But as I said before, it’s hard to go around this web of computers totally anonymously.
  • They’ll spam me.
    If they do, then a line has been crossed and the person who is using the unauthorized e-mail addresses should be prosecuted.
  • They’ll get my picture.
    Not unless you offer it.

  • They’ll get my home address
    Ditto.
  • They’ll get my SS number.
    Ditto, ditto…

     I agree to a point that surfing is invasive to your privacy, but it might be a trade-off you are willing make in order to have this web of computers that takes so much of our time.

     Stop and think — phone bills, power bills, cable bills… each of those also gathers information about you. Plus, they probably asked for your SS number. Should we be anonymous to them, too? It’s a good debate, if nothing else. It’s up to you whether the cookies are good or bad.

     On another note… I enjoy asking people if they would ever give a credit card number over the Internet, even though great steps have been taken to ensure encryption of the numbers. Most people have a rather violent reaction against doing it.

     They then hand their card to the waiter who walks into another room with it.


How Do I Hand Out Cookies?

     I’m starting to say this a lot, but cookies cannot be done simply through HTML. Cookies are done at the server level. You must actually place a CGI application that records, reads, and places cookies for you.
     What is new here is that I can tell you where to go to get the CGI application and the instructions on how to set it up.

Go to
So, You Want A Shopping Cart, Huh?

     That’s a page that explains the whole process right down to the smallest details of offering the CGI and links to other Netscape pages. Again, knowing how may not be enough. You’ll have to be able to place the CGIs into the correct directories, do a CHMOD command to affect the directory, blah, blah, blah. It gets mighty complicated.

     Then again, you could just not use them. You may already have all the information you need just through your log files. Maybe a counter on your page is all you’re really interested in. Cookies are very seldom handed out unless there is a good reason. Just keeping track of who stops in for the heck of it probably won’t sway the people in charge to place cookie applications for you.

Is That It?

     Well, yeah. I can’t cover much more than what I’ve already told you. To go farther, you’ll need to get in touch with your own people. They’ll be able to place the CGIs or be able to show you what is already being done log-wise for you.

What About That Nieman Marcus Cookie Story?!

     Oh, that. This is what Popular Culturalists term an “Urban Legend.” It probably isn’t true, but it gets told so often that people think it’s true. Plus, it’s always told as if it happened to someone’s older brother’s former friend’s roommate — SO IT HAS TO BE TRUE! One of my favorites is the story that that Mikey kid, who liked Life so much, died in the early 1980s by eating Pop-Rocks and chugging a Coke. It’s not true, but the story goes around.
     I also like the one where a woman, always distantly related, gets on an elevator with a very large, gruff-looking man who’s holding tightly the leash of his huge, growling dog. The woman is quite nervous. The large man yells, “Sit!” …and she does.
     Paul McCartney’s death was another biggie. If you haven’t gotten this over e-mail already, sit tight — you will.

     On to the cookie story. It seems that someone’s brother’s former roommate’s friend took his daughter (wife, friend, etc.) to Nieman Marcus for lunch (dinner, breakfast). My version of the story had the daughter purchasing a scarf and a wool hat. Details make for a more compelling tale!
     The people ordered and ate and were served three small cookies at the end of the meal. They liked the cookies so much the gentleman asked if he could purchase the recipe. The waiter said yes and stated the price at two-fifty. The man agreed. When his credit card statement arrived, he noted that it was $250 rather than $2.50. Apparently he’ll sign anything at the restaurant.
     Inflamed with cookie passion he said he would let the world know the recipe if they didn’t take the charge off the card. They refused and he set to spamming this story all over the Net through BBS servers and e-mail.
     The recipe I received was actually pretty good. It called for finely ground coffee and oatmeal. In reality, it could be true but probably isn’t. But… it’s a reason to make cookies. And it’s my opinion we could all use a few more reasons to make cookies.

[Cookies, Joe?] [What Do Cookies Do?]
[Do You Hand Out Cookies On Goodies, Joe?]
[What Is A Cookie?] [Are Cookies Bad?]
[How Do I Pass Out Cookies?]
[What About Nieman Marcus?!]  

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories