Website Authentication Methods – Cookies

Virtually every website nowadays has a need to authenticate or identify users in some manner.   It’s a very important issue especially for e-commerce servers though most websites track their visitors for a variety of reasons.

In the physical world, it’s usually quite straight forward – authentication is often a trivial exercise which we take for granted.  You may use a security pass to enter a car park or place of work and then use your library card to borrow books.  Using physical credentials like a pass or card is a straight forward way of proving your identity.  You can enter a building because you have physical possession of the correct pass, you can take money from the ATM because you posses the bank card.

In the Digital World, it’s Slightly Different

When you’re online is slightly harder to use physical credentials in the traditional sense. The security guard can see your photographic pass, but the website can’t.  The standard premise of presenting some sort of credential is still possible yet the authentication method has to be different.

Online Authentication Systems

There are lots of similarities online, you can still use many authentication methods that are used in the physical world using the same basic concepts.

The credentials need to possess at least one of the following requirements:

  • Something you know
  • Something you have
  • Something you are
  • Combination of the above

All these are known as authentication factors, and basically the higher the level of security the more of these will be incorporated.  If you’ve ever heard the term – two factor authentication well it’s referring to these requirements.   A standard cash machine or ATM for example usually requires two different factors of authentication.  To get you cash out you need a bank card (something you have) and a PIN code (something you know) in order to get money from the machine.  Unless you have both, you won’t be successful.

It’s often the physical possession that is difficult online.  As although it’s perfectly possible to supply a visitor with some sort of physical card there’s inevitably a delay and a cost involved to do so.  One of the standard alternatives online to physical authentication credentials is something called the cookie.   It’s an expression we’ve all probably heard but I guarantee that the majority of people will be unaware of the huge power of this particular form of identification.

Authentication Cookies

What is a Cookie ?

So we’ve all heard the expression but what exactly is a cookie? There are lots of definitions around but perhaps the simplest is that it is a transaction ID.  In reality it’s a little more as it can be an identifier, or a token of agreement between two or more systems co-operating (such as the web host and your browser).

In the physical world there are many parallels. It’s very similar for example to leaving something for dry cleaning, you leave the item and receive a ticket in return.  That ticket is only useful for one thing to retrieve your clothes when they ave been cleaned.  A cookie is just like that ticket but in digital form, a simple record of a specific visit or transaction.

That’s all a cookie really is, a digital ticket recording the details of your visit.  Have you ever clicked through on an advert or a web page on a particular subject?  Then found yourself besieged by adverts or links to products related to that?  This is because the information is stored in cookies and exchanged between browsers and web servers all the time.  They link your interests, transactions and activities in the digital world and unfortunately that information is shared all over the place.

Let’s say you visit a web site for the first time – perhaps to catch up on some TV – Now the owners of this web site want to keep track of their visitors so they have configured their servers to pass a cookie on to each visitor. Don’t think badly of them, as virtually every website now does exactly the same.   It’s nothing dangerous, simply an innocuous little text file with some unique information about your visit.  The browser stores this file on your computer, and this file will be accessed and updated on every subsequent visit.

Well, I say computer but of course we all use loads of different devices to access the internet nowadays.  You’ll find cookies stored and used by all sorts of device.  They certainly are alive and well on mobile phones as you’ll notice if you use these to browse the web.  You can also block and control using intermediate servers too, using mobile proxies can be useful to protect your identity in these circumstance.

If you look carefully you’ll see cookies in action every time you browse.  You visit a website after checking out a product, then you’ll see that product next time you visit.  What’s more  you’ll see adverts or similar sites with that product for some time to come.  This information is a gold mine to any retailer, e-commerce site or marketer for obvious reasons.  However let’s see how this information is recorded when you visit a website :

  • Server asks my browser to store some  information.
  • Server supplies session information that should be stored
  • Browser stores the information in a text file on the computer
  • Cookie store information about the visit (no personal information)
  • The cookie is supplied back to the web server every time I visit the site

It’s important to remember that there is a strict code for cookies, they contain just information.  There should never be any code included or should they be given any access to the computer.   The primary aim is to identify subsequent visits by the same user over time.  HTTP can’t normally do this because it is a stateless protocol.

Cookies will generally make your online life much easier.  They’ll remember who your are. They’ll help fill in your address or prompt you with your username. They’ll even direct you to areas that you found interesting on your last visit.

They are designed to make your revisit simpler and more rewarding however this comes at the price of your anonymity.  Cookies today store a huge amount of information that can be used to uniquely identify you. If you are trying to protect your privacy and browse anonymously, they are definitely not your friend.  For example if you’re trying to buy multiple items from an e-commerce server using a software than you need to either delete or manage the use of cookies.

There’s no point hiding your IP address by using ATC proxies if cookies are registering your every visit and activity.  However blocking them or deleting them are relatively simple if anonymity is more important than functionality.


Leave a Reply