LIFETIME OF COOKIES

We know that cookies will be persistent or not depending on whether the Expires attribute was set on the cookie when it was created. Nonpersistent cookies are deleted as soon as the browser window is closed, and thus are useless for long-term data storage on the client’s machine. So, how long do cookies last? How reliable are cookies as a form of persistent storage? There have been various studies over the years with conflicting results. In March of 2005, Jupiter Research released a report stating 54 percent of Internet users have deleted cookies stored by their browser.5 In addition, the report found that 39 percent of users delete cookies on a monthly basis. However, in April of that year, Atlas Solutions released a report titled “Is the Sky Falling on Cookies?”, which gathered statistics by actually measuring how long a cookie stayed on a machine instead of how long the user says a cookie stays on his machine.6 There were interesting discrepancies. For example, 40 percent of users who said they deleted cookies weekly had cookies older than 2 weeks. Forty six percent of people who said they deleted cookies monthly had cookies older than 2 months. It should be said that Atlas Solutions sells products for online marketing, visitor impression and lead tracking, and Web site optimization. Uniquely tracking individual users, which is largely accomplished with cookies, is a key aspect of all of their business solutions. It is not surprising their report would find that cookie tracking is still a viable means of tracking individual users. However, even using Atlas’s potentially skewed data, we can learn a lot. According to their report, 39 percent of all cookies are deleted within 2 weeks of being created. And, 48 percent of all cookies are deleted within 1 month of being created.While these lifetime statistics are acceptable for tracking unique visitors to a site, they may be less acceptable for long-term storage of data, depending on what developers want to store on the client using cookies. Still, it is clear, developers must ensure their application is not dependent on data persisting on the client.

ADDITIONAL COOKIE STORAGE SECURITY NOTES

Developers must remember that cookies values are sent in HTTP headers. Certain values like carriage return and line feed (ASCII characters 0x0D and 0x0A) delimit different HTTP headers in a request or response. If you are using cookies as a client-side storage method, you must encode any data you are storing to prevent a malicious user from injecting his own HTTP headers into Web traffic through client-side storage data. Depending on how the application is written, a smart attacker can use unencoded cookie values to inject his own HTTP headers into a response. The headers can be used to poison caching proxies by adding cache directive headers or even replacing the entire response! This type of an attack is known as HTTP Response Splitting.7 A good rule of thumb is to use JavaScript’s escape() and unescape() functions to URL-encode all data you will be storing in a cookie as client-side storage. Please note that JavaScript’s escape() function will expand special characters like space, <, or > to a three-character escape sequence like %20. This expansion can further cut into the 4094 bytes you have to store data on the client using cookies.