#include <infodrom.style>
#include <projects.style>

<projectpg project="Lightweight CGI Library">

<h3>HTML Cookies</h3>

<p>Cookies can be both, sweet and sour.  The very same applies to HTML
cookies that are widely used on the world wide web.  For a while now
cgilib supports cookies, both setting and reading.  With this feature
one can implement modern CGI based HTML applications

<p>Cookies are additional strings that are sent to the web server
<strong>automatically</strong> whenever a web page is requested that
matches a host/path pattern.  Of course, they have to be set by the
server before that.  Here lays the danger of cookies already.  The
user normally cannot control if a cookie may be sent to the server or
not.  Once a cookie is accepted, it will be sent to all pages that
match the particular host/path pattern.

<h3>Technical description</h3>

<p>Cookies are represented in HTTP as regular HTTP headers.  As a
result, the cookie has to be created and sent to the browser before
any HTML output.  When the browser sends a cookie, the server forwards
the cookie to the CGI program just like other HTTP/CGI headers.  This
is how cgilib finds out which cookies were provided so the program can
make use of them.

<p>Cookies can be used properly to implement stateful application
which state has to live longer than a simple HTML page.  For a good
and well-designed example see the <a
href="<root_prefix>Infodrom/fortunes/news.php">new fortune</a>
service.  Reading the content of the cookie, the scope is probably
clear to the user.  If you take a look at the <a
href="http://cvs.infodrom.org/www.infodrom.org/src/Infodrom/fortunes/news.wml?cvsroot=Infodrom.org">source
code</a> you will see that the cookie is evaluated and set before any
HTML output is generated.

<h3>Malicious use</h3>

<p>Since cookies are sent to the server whenever the browser requests
a web page that matches a certain pattern as formerly defined by the
cookie, sensitive information can leak to the web server, making it
possible to spy out the user.

<p>The cookie mechanism is often used by banner ads or page counters,
which run on a separate server and which make use of the data
collected.  Whenever you visit a website that refers to this banner ad
or counter server, your client will send a cookie to the server,
identifying yourself, and providing information about the page you are
visiting right now.  Using this, the ad server is able to build a path
of pages that you visit frequently, being able to provide specialized
advertising for you, like always displaying sex things, even when your
boss stays right behind you and would normally get car adverts.

</projectpg>

# Local variables:
# mode: html
# mode: auto-fill
# end: