Cookies and cookie handling in Opera 7 explained

About this document

This document is a mini tutorial on cookies. Its targets questions such as: what is a cookie, how is it used, is it anything dangerous for your privacy, and how are cookies handled in Opera 7.

Please read the NON WARRANTY Disclaimer! about this document. This document has been edited according to suggestions of an Opera Software profesional (opera.general newsgroup), 2003-Sep-20th.

I would be happy to receive suggestions and advices concerning the content on this page.

English descriptions in the GUI of Opera's cookie settings are kind of obscure. This document is trying to clear this obscurity. References to sources of clarity, as well as to related storie(s), can be found at the bottom of this page.

General concepts

Cookies explained: Normal | Third Party | Illegal

Opera 7 cookies handling: Server Manager | Normal | Third Party

General concepts

What are cookies?

Cookies are small pieces of information that some sites want to store in your browser. After sites have stored cookies in your browser, sites can access these cookies (these pieces of information) later.

Today, the proper functioning of many sites rely on browser's ability of cookie handling. Unfortunately, cookies can be of a privacy concern.

Servers and domains

It is very easy to undestand, but very hard to explain. So I prefer giving you examples:

• www.example.com, fun.example.com, jokes.fun.example.com, www.example2.com, evil.example2.com are all examples of servers. They can be contacted on the Internet.
• example.com, example2.com are examples of domains. They are owned by someone -- a man, a company, an organization... They can be contacted on the Internet.
• www.example.com, fun.example.com, jokes.fun.example.com are three different servers in the same registered example.com domain.
• There is a special category of domains that can not be contacted on the Internet. Instead, they are suffixes for many registered domains:
  • com, net, org, etc. (top-level domains)
  • no (Norway), bg (Bulgaria), ru (Russia), etc... (national domains)
  • co.uk (United Kingdom commercial), co.jp (Japan commercial), etc. ("specialized" national domains)
• domA.com, domB.com are two different registered domains in the same top-level com domain.
  domA.bg, domB.bg are two different regostered domains in the national bg domain of Bulgaria.
  domA.co.uk, domB.co.uk are two different registered domains in the national commercial co.uk domain of United Kingdom.

Cookies and privacy

Cookies may have many things to do with your privacy. You or your system administrator may have to think about it.

What are normal cookies?

Usually your activites on site A should remain just between you and the site A. Your activity on site A does not exceed into other sites. (Un)fortunately, cookies can be a source of information leakage into other sites. If a cookie does not cause such information leakage, you have normal cookies.

What are third party cookies?

Imagine that you (your browser) speak with your chief (site A) about some company secrets, while your competitor(site B) has installed a microphone in the room and listens to your conversation.

Sometimes site A's pages contain implied references (the "microphone") to site B (eg. to an image kept on site B). Your browser follows the reference, silently contacts site B and in this process site B trys to set a cookie on you.

In this situation, site B acts as third party, since it gets information about your activitis on site A. The site B'cookie is third party cookie. Your browsing activity on site A silently exceeds into site B.

But, are all sites B assumed as third party, while you are browsing site A?

No. If you browse site A (www.domA.com/site/A), then:

• www.domB.com/site/B is third party
• www.domA.com/site/B is not third party (sites A and B are on the same server www.domA.com)
• fun.domA.com/site/B is not third party (A and B are on different servers (www.domA.com and fun.domA.com), but still in the same domain reach (domA.com).

Strictly speaking, third party cookies make a legal use of cookies. To repeat the actual privacy concern: The third party site silently gets information about your browsing activity on site A, and you are not aware of this silent fact! Such information leakage can be used for "good" or "bad" purposes.

Examples of "good" purposes: Site B tracks the number of visitors on site A. Or: Site B keeps ad baners for site A and tracks down which banners have been already seen by you.

Examples of "bad" purposes: Site B tracks down your personal activities on site A.

Please note that a purpose may be "good" or bad "bad" depending on many factors. It is your choice of freedom to define what is "good" or bad "bad" for yourself.

What are illegal cookies?

When some site A sets a cookie in your browser, site A also instructs your browser about who can access the cookie. Cookies with illegal instructions are illegal cookies.

If you want to prevent abuse, you should not allow illegal cookies

Cookies with illegal domains

A site may want to set a cookie on you, ordering it to ba accessible to all servers in its registered domain. Eg site A (www.domA.com/site/A/) wants to set a cookie, ordering it to be accessed by every server in the same registered domA.com domain. This usually makes a good dose of sense. This way if you have looged in on server login.domA.com, you can be treated gently as a customer on e-cards.domA.com, fun.domA.com, clubs.domA.com, etc. This is a legal use of cookie and happens often.

But, imagine a site wants to set a cookie on you, ordering it to be accessible to all sites in an unregistered domains such as top-level ones com, net,..., or national ones no, bg..., or "specialized" national ones co.uk, co.jp,...

This is an illegal use of cookies, since such cookie will be immediately accessible to many potentially abusive servers in the world that have nothing to do with your activity on the web!

Opera can esily detect this illegal use of domains such as top-level ones com, net,..., or national ones no, bg.... Thus Opera will never accept such missuse of cookies. Nevertheless, you can choose Opera to warn you about such cookies.

Cookies with "indirectly" illegal domains

It is a bit complicated with unregistered domains such as "specialized" national ones co.uk, co.jp. How can Opera know if yy.zz is a "specialized" national domain, suffix for many other registered domains, or is itself an usual registered domain in national zz domain?

The answer is simple. Opera can use Domain Name Service to check if yy.zz is a registered domain. If the check fails, Opera assumes yy.zz is "specialized" national domain.

Thus if site D (www.domD.yy.zz) wants to set a cookie, ordering it to be accessible to yy.zz, Opera will first check (using Domain Name Service, DNS) if yy.zz can be contacted on the Internet. If DNS check fails, Opera will accept the cookie, but will silently restrict the later access to the cookie just to the site D's server www.domD.yy.zz, instead of allowing it to all servers in the yy.zz domain.

Cookies with illegal servers

Imagine site A (www.domA.com/site/A/) is setting a cookie in your browser, ordering the cookie to be accessible to site B (www.domB.com/site/B/). This is an illegal use of cookies. Opera will never accept such missuse of cookies.

Cookies with illegal paths

Imagine site A (www.domA.com/site/A/) is setting a cookie ordering it to be accessible by another site on the same server (www.domA.com/site/C/). This is an illegal use of cookies, but it happens kind of often. You may choose to allow cookies with illegal paths.

Cookie settings in Opera 7.2

Cookie handling in Opera 7 is governed by a number of options found under File -- Preferences -- Privacy.

Please note also that some English descriptions in the cookie handling preferences have been changed from Opera 6 thourgh Opera 7.2. This does not imply any change in behaviour though.

Should I enable cookies at all?

Once upon a time, in a Galaxy far and away, browsers were not cookie aware. Today many sites rely on proper cookie handling. So you may have to decide on enabling cookies in Opera. This is done by the checkbox in front of Enable cookies.

How do I handle cookies in Opera?

The general behavour is controlled by the dropdown for normal cookies, and the dropdown for third party cookies, and the checkboxes below them. Use the checkboxes if you want to specify a general accept/refuse behaviour for illegal path or illegal domains.

You can also create server-specific filters (eg. for server hi.A.com) or domain-specific filters (eg. for domain A.com).

Domain-specific filters (eg. for domain domA.com) will apply for all servers in the specified domain (eg., fun.domA.com, serious.domA.com, evil.domA.com, etc.).

The general settings for Normal cookies and Third party cookies may blend with the specific filters, created in the Server Manager.

Server manager

You can call the Server Manager using the Manage cookies... button

In the Server manager, you can set accept/refuse cookie filters for specific servers. You set a special filter by turning off the checkmark in front of Lend settings for normal cookies.

In Server Manager, you can force it to show just the filters. This is done by turning off the checkmarks in front of Cookies and Wand. Otherwise, you will have listed all cookies and/or Wand logins currently present in Opera.

In the special filter for a specific server, you can specify:

• Apply these settings for entire domain -- Use it if you want your special filter to be applied on all servers in the domain. Eg., filter for domain domA.com will be applied to fun.domA.com, serious.domA.com, angel.domA.com, evil.domA.com, etc.
  • Be careful!
    There is a special concern with this option when applied with some "specialized" national domains. You can set a filter to allow cookies for a special domain such as co.uk domain. If you do so, you allow illegal use of co.uk "specialized" national domains. You actually forbid the only way available for Opera to prevent you from cookies such "indirectly" illegal cookie.
• Accept cookies for server/domain -- accept normal cookies from the server/domain.
• Accept third party cookies for server/domain -- accept cookies from the server/domain even if this server/domain acts as a third party. Eg, if you don't mind site B to count you as a visitor of some other site, you can accept third party cookies for server B.
• Accept cookies with illegal paths -- You can turn it on if you don\'t mind cookies with illegal paths from this server.

Normal cookies dropdown explained

Refuse all without question

Silently refuse normal, and also refuse third party cookies, without applying Server Managers's accept/refuse filters.

Display in dialog box with multiple choice

Silently apply Server Manager's accept/refuse filters, and ask what to do in case cookie comes from server not specified in Server Manager.
Note that in case Opera asks you what to do with cookie from server not specified in Server Manager, you are proposed to select between a number of options. Beware that by some of these options you automaticaly create a permanent filter for the new server/domain. Others of them let you choose just a temporary solution, without creating a permanent filter.

Treat as specified in Server Manager

Silently apply Server Manager's accept/refuse filters, and silently refuse in case cookie comes from server not specified in Server Manager.

Accept all without question

Silently accept all normal cookies without applying Server manager's accept/refuse filters.

Third party cookies dropdown explained

Accept only cookies set to the server itself

Silently accept third party cookies only if the third party cookie will be returned to the (third party) server sending it. Server Manager's accept/refuse filters still apply. Third party cookies from servers not specified in Server Manager will still accepted too. But only for cookie that will be returned to the same third party server.
Eg. you browse site www.domA.com/site/A/. The third party site www.domB.com/site/B/ trys to set a cookie on you, ordering it to be accessible for all servers in the domB.com domain. Even if you have a special filter that allows third party cookies for the domB.com domain, this cookie will be refused.
Another example: You browse site www.domA.com/site/A/. The third party site www.domB.com/site/B/ trys to set a cookie on you, ordering it to be accessible for a site on the same third party server. If your filters do not forbid third party cookies for the www.domB.com server, this cookie will be accepted.

Refuse all without question

Silently refuse all third party cookies, without applying Server Manager's accept/refuse filters.

Display in dialog box with multiple choice

Apply Server Manager's accept/refuse filters, and ask what to do in case third party cookie comes from server not specified in Server Manager.
Note that in case Opera asks you what to do with cookie from server not specified in Server Manager, you are proposed to select between a number of options. Beware that by some of these options you automaticaly create a permanent filter for the new server/domain. Others of them let you choose just a temporary solution, without creating a permanent filter.

Accept all without question

Apply Server Manager's accept/refuse filters for third party cookies, and silently accept third party cookies comes from servers not specified in Server Manager.

References

• A dedicated article on Privacy and cookies at opera.com's knowledge base.
• Questions on the subject have been raised a number of times on Opera users mailing lists and newsgroups. It is especially of interest to drop an eye at the Google's cache of Third party cookies?! discussion at opera.tech newsgroup.
• When I wrote this page and announced it as Cookies and cookies handling in Opera 7 explained thread in opera.general newsgroup, I was given some corrections and suggestions by an Opera Software professional. I have implemented them in the current document.
• Again in Cookies and cookies handling in Opera 7 explained thread in opera.general newsgroup, a link was published to concerning some cookies issues in Internet Explorer