ebmgh.com

As I’ve made a foray into developing small applications for the web, I’ve had to learn all about cookies, beyond a vague awareness that they’re important for certain sites to work, but that they’re sometimes bad. It’s interesting to look at how many cookies your browser stores just from routine web browsing.

I came across this somewhat unexpected and disquieting behavior in Internet Explorer 8 as I was testing a site. After you remove cookies by using Tools > Delete Browsing History, your cookies are still stored in the browser’s memory cache, and will be transmitted with any page requests. They are not really deleted until you close and restart the application.

Try this: log on to your favorite webmail (gmail, yahoo, and all the major ones use cookies to keep track of your session and your user authentication).

Delete cookies by choosing Tools > Delete Browsing History. Check cookies and click OK. Your stored cookies are gone right?

Reload the page. Without your browser sending a cookie to the web server, your email provider should have no way of knowing who you are or whether you are logged in. If the email application loads, then you have sent a cookie to the server.

Of course, this is usually what you want to happen, but NOT just after you’ve supposedly deleted the cookies. This behavior is a subtle but significant security risk for some users. When you delete cookies in other major browsers (Firefox, Chrome, Safari), they’re gone, without having to restart the browser.

If you want to get into more details, download the free software IEHTTPHeaders, “that displays the HTTP Headers sent and received by Internet Explorer as you surf the web.” This does the same work as the Firefox Add-on, Live HTTP Headers. Using these, you can see what kind of information your browser is sending to the web server when it requests a new page.