Understanding Cookies

A cookie is sent as part of the HTTP header and is basically a name-value pair. Their main disadvantage is it is possible to deactivate cookies in the web browser (and also to filter them out in proxy servers). Some people think cookies create privacy issues. Part of this might have been caused by an article written by John Udell in March 1997, in which he wrote that every cookie can be read from every web server, thus there is no privacy. This caused quite a stir, although, unfortunately, the correction two months later did not get that amount of attention.

The fact is that cookies have some limitations:

  • Cookies are tied to domains, usually the domain that sent the cookie.

  • Cookies can be tied to paths on the web server.

  • A cookie contains only text information, 4096 bytes at max (including the cookie name and the = character between the name and value).

  • Browsers must only accept up to 20 cookies per domain and 300 cookies in total (although some browsers accept more).

The (unofficial) cookie specification goes back to Netscape and is still available at There have been attempts to create a special Request for Comment (RFC) for next-generation cookies, but this hasn't found any reasonable browser support yet.

Cookies are sent as part of the HTTP header. If a cookie is set, the HTTP header entry Set-Cookie is created. The name and value of the cookie (both strings) follow and, optionally, further information such as expiration date, domain, and path of the cookie. For instance, when visiting, the PHP website sends this header entry (your mileage may vary, especially in terms of the language and IP address used):

Set-Cookie: COUNTRY=DEU%2C84.154.17.84; expires=Thu, 19-May-05 15:23:29 GMT; path=/;

When the browser (or the user) accepts the cookie, it is then sent back to the server in the HTTP header Cookie:
Cookie: COUNTRY=DEU%2C84.154.17.84

A cookie can have an expiration date. If that is set, the cookie lives up to this date (at most) and is a so-called persistent cookie. After that, the browser automatically deletes the cookiebut this could also happen earlier, for instance when the maximum number of cookies in the browser is reached and the oldest cookies are purged. If, however, no cookie expiration date is set, a so-called session cookie or temporary cookie has been created. This lives as long as the web browser is running. When it is closed, the cookie is deleted.

To actually see the HTTP headers, you could use special extensions to standard web browsers. For Mozilla browsers (including Firefox), the LiveHTTPHeaders extension available at is a real time-saver. Users of Microsoft Internet Explorer might be interested in installing ieHTTPHeaders, an Explorer bar available from Figure shows some of the output the Firefox extension shows when accessing the PHP home page.

Cookies are set as part of the HTTP header.