Q1. What are cookies and how are they used to improve security?

Exercise 14: Electronic payments and security II

Q1. What are cookies and how are they used to improve security?

Answer:

Webopedia (2009) describes cookies are the message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.
The main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it.

How are they used to improve security?
Wikipedia (2009) states that the web server can specify the secure flag while setting a cookie; the browser will then send it only over a secure channel, such as an SSL connection. Moreover, the web page - http://www.jguru.com/faq/view.jsp?EID=425611 shows the example on how to make cookies secure. The example is listed below...
'secure' per RFC2109 as in...
//snip
Set-Cookie:JSESSIONID:893ihewwydkq2764@&@09;Path=/;secure
//snip
Marking the cookies this way ensures they cannot be delivered over an unencrypted session such as http.
Using these three methods together makes a cookie reasonably 'SECURE'

Reference:

1. Webopedia (2009). "What is cookie?". Webopedia The #1 Online Encyclopedia dedicated to computer technology, Retrieved from URL - http://www.webopedia.com/TERM/c/cookie.html
2. Wikipedia (2009). "Http cookie". Wikipedia The Free Encyclopedia, Retrieved from URL - http://en.wikipedia.org/wiki/HTTP_cookie