1.0 Background
Cookies are a method of saving information on the client machine (the user computer). Some users are wary of cookies and think they provide a breach of security that allows other programs to read information on their computer. Part of this belief stems from the fact that people cannot see what information is stored in the cookie and how it will be used.

Cookies cannot be used to "steal" information about you or your computer system. They can only be used to store information that you have provided. Let's say you fill out a form naming your favorite movie star, Tom Cruise, and the server saves this information in a cookie. The next time you visit the site, your browser returns the cookie, allowing the server to alter each web page to offer you movies such as Top Gun or motorcycles such as the one he rode in the movie. This site tailoring would probably improve your experience by presenting you with things you would be more interested in.

HTTP is a "stateless" protocol which means that each visit to a site (or even clicks within a site) is seen by the server as the first visit by the user. The server does not remember anything after a request is made unless it marks the user machine using a cookie. Each time your browser makes a request for a page, the server gets each element referenced in that page (such as images, sounds, etc.). Each of these items leaves a trail showing the name and IP address of your computer, your browser type, operating system, Web page URL you accessed, and the URL of the last page you viewed. The common file description of this log is the "Web Log" or ";Web Access Log."; The log contains many entries and they would have to be correlated to determine what you were doing. With cookies that all changes.

For programmers, cookies are a method to allow saving information that will maintain the state of the site for a user. By setting a unique ID in a cookie, programmers are able to tell what content a user has seen, or even keep records of items in a shopping cart. With regard to maintaining state, ASP has a unique identifier called the session ID that is a unique cookie set on the client automatically (unless you turn it off).

1.1 Cookie Delivery
When a browser (that supports cookies) loads a page, the browser searches the client machine's stored cookies to see if there is one with the domain name of the server is the same as the page being requested. It also tries to match the path in the URL you have given for the page. If it finds matches, the browser sends the matches in an HTTP header as part of the request to the server. Then it is up to the server to make sense of the cookie information. The cookie information can be accessed by a higher level server-side language or by javascript on the client-side.

1.2 Cookie Recipe
Cookies have five elements described as follows:

Name/Value	A string identifying the cookie and the value of the cookie. This is the only required attribute.
Expires	A date string in GMT format that defines the cookie lifetiime. The cookie will no longer be stored or given out once it expires. This is an optional attribute and if it isn't specified, the cookie will expire when the user session ends.
Domain	Only hosts within the specified domain can set a cookie for a domain. The default value is the host name of the server which generated the cookie response.
Path	the subset of URLs in a domain for which the cookie is valid. If not specified, it will be the same path as the document being described by the header which contains the cookie.
Secure	if secure, it will only be transmitted across secure communications channels.

1.3 Browser Interaction
The browser allows adjusting privacy settings to enable users to disable cookies or to receive a prompt before accepting cookies. The user can then decide whether to allow the site to write the cookie or not. The browser can warn if a cookie is being written, however it remains silent if the cookie is being read. In most cases disabling cookies is a drastic solution that usually inhibits full operation of most commercial sites.

1.4 Cookie Flavors
Persistent Cookies - Cookies with a defined expiration time. They are persistent because they are maintained longer than the amount of time the user is connected to the server. Because they are maintained while the user is not connected to the server, they are stored on the hard drive so they can be retrieved.

Session Cookies - Cookies that do not have a specified expiration. The name session means that they are discarded when the browser is closed. These cookies are stored in memory instead of on the hard drive.

1.5 Cookie Owners
Cookie owners are identified as either First or Third Parties.

First Party - A URL that is the top-level URL of the page being served.

Third Party - A URL that is not the top-level URL of the page being served (A cookie that is set by a domain other than your domain). A common use for a third-party cookie would be a shopping cart, banner ad, or a login session.

A server cannot set a cookie for a domain that it isn't a member of. However, that doesn't mean that just because you do not visit a domain, you can't get their cookie. At first reading that doesn't seem to make sense. However, it is easily accomplished. When a web page is requested, it is put together through many HTTP requests by the browser as it locates the various page elements such as images, file links, sounds, etc. Well, the information returned can contain the requested object and other things such as a cookie. If this cookie is from a domain that is a URL not in the top-level URL then it is a third-party cookie. Probably the most well-known example of this techniques is used by DoubleClick.