Jeff Kabachinski

It does not take long for your browser to create a gigantic pile of cookies. Delete your cookies, and a new pile is in their place an hour of browsing later. Change your Internet security selection for accepting third-party cookies to “prompt,” and you will be asked twice for every third party looking to track you. Recently, I counted about a dozen times to accept a cookie with every mouse move after I switched to “prompt,” making it very tough to use the Internet.

Bottom Line

Then, there are the cookies that will not die. Called Zombie cookies, these are duplicated and planted in places other than the usual and benign cookie log/file. These are not actually cookies—they are malware planted on your computer without your consent or knowledge—I hate that! The Zombie master looks to see that all the cookies it created are still available, and, if not, it just duplicates them to store in eight or more places. I am not sure if they come out after midnight when everyone is asleep (except for the BMET on call!) to moan and roam your hard drive, but they can gather data to create a rich profile of you. Obviously, if you are using the Internet at work, it could spell privacy trouble for your organization and patients. Cookie use has changed over the past few years, making it necessary for everyone to increase awareness and be watchful.

Cookies are a feature of hypertext transfer protocol (HTTP) used on the Internet. It solves a basic problem in that the Internet and HTTP are stateless—they do not remember previous transactions. The Web server sends the page you asked for, and that is it. It is a one-shot deal, and it immediately forgets you—unless, of course, there are cookies involved.

The cookie is a benign short text file created by the Web site and is stored on your computer as a way to recognize you and keep track of your preferences. They “maintain the state.” It includes information about the transaction (who asked for what) with a unique ID or session number, which can be used later by the recipient or a third party to recall a state. Cookies also contain an expiration date and the domain (group of servers for a particular URL) that the cookie is valid for. HTTP cookies are not executable and cannot be used by any other Web site (domain). As a text file, they cannot snoop, self-replicate, phone home, or gather personal data from your computer. But not all “cookies” are really cookies.

It’s a Big Deal

Cookies do serve a purpose. They automatically ID the client for the server, thereby shortening a log-in process. They can help to track your shopping preferences and what is in your shopping cart as you browse or shop from page to page or site to site.

The types of cookies to be aware of include:

  • A session cookie: A first-party cookie used to track states for a particular session only. It expires upon closing the browser or times out if no activity is logged (“session idle timeout”). This represents the original use of a cookie.
  • A persistent cookie: It lasts longer than one session. For example, if the expiration date is set for a year from now, the initial cookie values will be sent back to the Web site whenever you visit during that year. Therefore, sometimes they are called tracking cookies. It can be used up to the expiration date or until the time it is erased by the user.
  • A secure cookie: This is for secure mode (HTTPS). The encrypted cookie is more difficult to steal data from.
  • An HttpOnly cookie: It can only be used when transmitting HTTP or HTTPS requests. This makes the cookie data unavailable to client side scripting (ie, Javascript) and lessens the chance of cookie theft via cross-site scripting.
  • A flash cookie: Adobe Flash uses local shared objects (LSOs) known as flash cookies, where Web sites can store files or cookies in the user’s flash memory space separate from your cookie folder. I deleted my cookies then went to a weather site for the first time recently, and up came my town! How did it know where I was? Somehow it knew my zip code, but I never agreed to profiling or to storing information about me on my computer! In the United States there have been lawsuits filed for using LSOs in this way, and in some countries it is illegal to track users without their knowledge and consent.
  • A third-party cookie: First-party cookies are set by the Web site server, and they have the same domain or subdomain as shown in the browser address bar. Third-party cookies come from another Web site and therefore have a different domain from the one shown. One way this happens is by going to Web sites that host advertising from another Web site auto-populated on its behalf. Ever notice how some ads seem to lag slightly behind in a Web page that is loading? It is due to gathering data from third parties to create the page. For example, the DoubleClick Web server can put a tiny 1- x 1-pixel GIF file on the client allowing it to load cookies. Then it can track your Internet use over multiple sites. It also might even be able to discern your Web search strings.
  • A super cookie: This is a cookie with just a public suffix domain— .com or .org, for example. Browsers accept first-party cookies from the Web site’s domain or subdomain.

Then when you browsed to this site, the client would also accept the cookie from—but not just .com. That would leave it wide open to any .com site like

  • A zombie cookie: This cookie is automatically recreated whenever it has been deleted. Most likely an uploaded Javascript application is somewhere on your hard disk recreating the cookie based on stored data whenever its absence is discovered. The zombie application duplicates the zombie cookies and stuffs them away in different locations.

Zombie cookies represent one of the relatively new Internet privacy threats. Now is a good time to get more watchful on Internet security as 4G begins to roll out in earnest and there are millions more users and hackers online. Network security is not just the responsibility of the IT department. Keep an eye on your cookies!

Jeff Kabachinski, MS-T, BS-ETE, MCNE, has more than 20 years of experience as an organizational development and training professional. Visit his Web site at For more information, contact .