ECE4112 Internetwork Security
Tracking Cookies
Group Number: ______
Member Names: ______
Date Assigned:
Date Due:
Last Edited: December 3, 2007
Lab by: Phillip Shatzman and Jeff Magee
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.
Goal:The goal of this lab is to introduce you to the concepts and theory behind what tracking cookies are, what they can do, and how they work.
Summary:You will be given a background on what tracking cookies are and how they work. You will then see these concepts in action as you visit a series of web pages. This will be followed by analysis of the JavaScript code which reads and sets cookies. The lab concludes with ways to prevent tracking cookies from getting on your computer and how to remove them once on there.
Setup: This lab requires apache to be setup on the RedHat WS 4.0 machine. Instructions for this can be found in the Web Security lab, Section 0. This lab also requires the use of the Windows XP virtual machine in Section 4.
Background and Theory:
Tracking Cookies
In web security there is a type of cookie known as a tracking cookie. These cookies typically track your internet browsing for various reasons. Most of these reasons are for marketing purposes, such as an online retailer looking into a tracking cookie on your computer and seeing what type of products you have been viewing. The website can then look into its inventory and prominently display the types of products you like. Obviously, the reason above is non-malicious, and many people feel like the internet is enriched because of this. There are some companies that use the data for reasons that may not be as nice as pure marketing. A tracking cookie may track your internet habits and then be compiled in a database where your habits can be viewed by companies that want to know this information. This is a serious breach of privacy. There are several ways to deal with these cookies outlined during the lab.
Websites can also store more than one cookie on your computer. For example, if you are to visit one of the major tracking cookie websites (e.g. a company such as Link4Ads), you will notice that many different companies tracking cookies are on your computer.
Tracking cookies do not necessarily have to come from the website you are currently visiting either. If you are browsing the web and a pop-up banner appears, there is a good chance that a “third-party” cookie was added. Most of the serious tracking cookie companies use these type of ads to spread these cookies around (for example, DoubleClick). Whenever you are surfing the web it is nice to have the piece of mind that all of your actions are not being compiled for some company to use for its own profit.
Prelab Questions: None.
Download the file cookie_webpages.tar.gz from the server and unzip them in to your apache2/htdocs/4112/ directory. When unzipped you should have four new folders (ads, casino, florida, retire) created in your 4112 directory. Each of these folders acts as a separate domain.
Section 1: Cookies in action
In this section you will visit several websites made to demonstrate how advertisers might use cookies to track and target advertisements to people. The websites are as follows (where <your IP address> is replaced with the IP of your Redhat WS 4.0 machine):
- IP address>/ece4112/florida/index.html
A mock website about Florida.
- IP address>/ece4112/casino/index.html
A mock website about casinos.
- IP address>/ece4112/retire/index.html
A mock website about retirement.
You may want to bookmark these webpages as you will be visiting them frequently in this lab (in Firefox, Ctrl+D).
Depending on which webpages you visit and in which order, advertisements will change such that they correspond with past websites you have visited.
Visiting the webpages:
Open up Mozilla and in the address bar go to:
IP address>/ece4112/florida/index.html
The webpage will contain three frames. The top will be a welcome message with the topic of the webpage. The middle will contain an advertisement. The bottom will contain random information about the topic of interest.
Question 1.1: What is the advertisement you see about? (It is underlined.)
Now go to IP address>/ece4112/casino/index.html
Question 1.2: What is the advertisement you see about?
Clear the cookie set by the webpage from Mozilla.
- In Mozilla, click on Edit Preferences
- In the top menu bar with all the icons, click on the image of the Lock (Privacy)
- Click on the “Cookies” tab
- Click the “View Cookies” button
- Under the “Site” column, find localhost and click on the folder
- Click the Remove Cookie button at the bottom of the window
- Click “Close” twice to return to browser window.
Close and re-open Mozilla. Now go back to the casino website:
IP address>/ece4112/casino/index.html
Question 1.3: Is the advertisement the same as before? Why or Why not?(see text below for hints)
Feel free to browse each of the websites in any order you want. Each time you visit a website, information is stored, via cookie, to note where you have been. Eventually, after visiting all three websites, you will see the same advertisement no matter where you go until you clear the cookie.
Section 2: Making Cookies (with computer code)
We know that cookies can only be read from domains with the same name. Yet here we are visiting three webpages with different “domains” (florida, casino, retire) and all are able to share data regarding where you have been. To try and figure out how this is accomplished, go to the Florida webpage:
IP address>/ece4112/florida/index.html
Since the middle frame is the advertisement frame, it would be logical to assume we can see how exactly the cookie process works by viewing the source of this frame. Inside the middle frame of the webpage:
- Right Click the mouse
- Click “This Frame”
- Click “View Frame Source”
There appears to be no code in there which does anything other than display the text of the advertisement. This is because the webpage responsible for reading and storing cookie information redirects the user to a different location containing the advertisement.
You’ll notice that each frame has a separate webpage source. This is a common practice on many webpages, especially with advertisers. However, by using more complex functions, it is not as apparent as the three separate frames used here.
View the source of the florida/index.html webpage to answer the next question.
Question 2.1: What is the webpage that is responsible for carrying out the cookie operations and redirecting you?
Now that we know the actual webpage that is the “brains” behind the operation…
Question 2.2: How are all three webpages able to access the same cookie? (Hint: You may want to view the source of the other index.html pages and see what they have in common.)
To see how everything works lets take a look at code of the cookie management page which we found in the answer to Question 2.1.
Open Mozilla, type in the webpage to the address bar, and press enter.
You should have been redirected to the advertisement page automatically and now see the same thing which was in the middle frame of the index.html page. Viewing the source once again doesn’t give you any information. Anytime something “complex” like this is done, chances are it is because of some script language. In this case, javascript is used to redirect people who visit that webpage elsewhere.
While redirection is not always the case, it does present one complication in trying to decipher how webpages use cookies and how the code works. Fortunately for us, the webpage is stored on our hard drive (and is provided in Appendix B) so we can view the code easily using a text editor.
Question 2.3: If we didn’t have the webpage stored on our hard drive, how could we get around the automatic redirection so that we can view the webpage source?
The next few questions involve analyzing code located in Appendix B. This code may look familiar. It was used in the Web Security lab and has been modified to fit our purpose. Within the code there are comment lines to make it easy for you to find the sections of code the questions are referring to. The questions should step you through so that you can figure out exactly how the webpages are tracking you.
On a side note, it is often very helpful when debugging/deciphering code to display the values of variables to the screen. In javascript this can be done using the alert() function. For example, if you want to know the value of the variable foo, adding the line of code:
alert(“Foo is “+foo);
will display in a pop-up dialog box: “Foo is ” followed by the value of foo.
Question 2.4: What does the if statement “if (CookiePieces[0].substring(0,1) == ' ' )” do?
Question 2.5: What code/variable contains the name of the cookie? What is the cookie name used?
Question 2.6: What code/variable contains the value of the cookie?
Question 2.7: Assuming the if statements are not taken, what does the line
“else window.location.href=returnval+".html"” do?
Question 2.8: Given what has been learned by answer the above questions, how are users tracked (by this method) when going from website to website? Include which cookie field is being manipulated and how the field is changed depending on the website visited.
Question 2.9: Would it be possible to track a user using a method other than manipulating the cookie field used in this example? If yes, how? If no, why not?
Section 3: Cookie Defenses
Firefox can be found at the following website: firefox/
Despite the fact that these particular types of cookies don’t do any real harm, it can easily be seen as an invasion of privacy and undesirable to have them on your computer. Below are several options on how to prevent tracking cookies from getting on your system and removing any that are already present.
The directions listed below can be performed on the RedHat WS 4.0 machine with Mozilla Firefox. The same methods of preventing / removing cookies should be available on most other browsers. For information on how to perform the methods listed below on Internet Explorer, see Appendix C.
Delete all cookies on browser close
For this method, while you are browsing the internet, cookies can be stored on your computer and you may be “tracked”. However, after closing, all websites will forget who you are. The positive is the next time you open your browser, no website will know where you have been previously, and you get a clean slate. The negative is that websites which you may want to remember you (via username and password for example) won’t know who you are either, and you will need to re-enter your account information.
Visit the Florida webpage and then the casino webpage. It should show an ad about a casino in Florida or (if you also visited the retirement page recently) an ad about a casino retirement home in Florida.
To set the cookies so they clear upon closing.
- In Mozilla, click on Edit Preferences
- In the top menu bar with all the icons, click on the image of the Lock (Privacy)
- Towards the bottom of the window, click the “Settings…” button
- Under Private Data, check the box next to “Cookies”
- Under Settings, check the box next to “Clear private data when closing Firefox”
- Click OK.
- Click Close.
Now close Firefox. If the “Ask me before clearing private data” box was checked (default) it will prompt you to clear your private data. Click the box with the green check titled “Clear Private Data Now”.
Re-open Firefox and visit the casino webpage.
Question 3.1: Did clearing the cookies work? (Do you now see an ad only about casinos?)
If you now go to the Florida webpage, once again you will be “tracked” and the Florida casino add will appear.
Undo the changes to Firefox just made by un-checking the “Clear private data when closing Firefox” button.
“Learning” (aka, deal with it as they come)
In reality, there is no “learning” done by this method, but rather manually blocking unwanted cookies as they appear on your system. Once a domain is blocked, it will be unable to store cookies on your computer.
Once again, visit the Florida and casino webpages. To block a domain.
- In Mozilla, click on Edit Preferences
- In the top menu bar with all the icons, click on the image of the Lock (Privacy)
- Click the “Cookies” tab
This first method of manually blocking domains is the most common way for most browsers to individually block cookies.
- Click the “View Cookies” button
- Look at the name of the site that set the cookie. Usually it will be <something>.com. After remembering the name of the site, click Close.
- Click the exceptions button
- Type the site name (localhost in our case) in the box titled “Address of web site:”.
- Click “Block”. Click Close.
Visit the retirement website.
Question 3.2: Do you see a combined message ad (ex. Florida/casino/retirement) or a single purpose ad (just retirement)?
Question 3.3: Is the cookie that was previously stored still on the computer?
Alternatively you could have done the following:
- In Mozilla, click on Edit Preferences
- In the top menu bar with all the icons, click on the image of the Lock (Privacy)
- Click the “Cookies” tab
- Check the box next to “unless I have removed cookies set by the site”
- Click the “View Cookies” button
- Click on the unwanted cookie.
- Click the “Remove Cookie” button at the bottom. Click Close.
Firefox has now automatically removed the cookie and added it to the “blocked” list.
A reverse approach (learning which cookies to accept) can be done by blocking all cookies (see next section) and adding to the Exceptions list only those cookies you want on your computer.
Undo the changes done in Firefox by removing the domain “localhost” from the blocked list. Remove the localhost cookie if it is not already removed.
Block All Cookies
This option is the most effective, but also the most extreme and thus,can cause the most headaches. Since cookies do have a valid purpose and many websites require them, this method can make surfing the web a large pain.
- In Mozilla, click on Edit Preferences
- In the top menu bar with all the icons, click on the image of the Lock (Privacy)
- Click the “Cookies” tab
- Uncheck the box next to “Allow sites to set Cookies”
- Click Close
Visit all three webpages.
Question 3.4: At any time did you see a combined message ad?
Question 3.5: Was the cookie ever able to make it on to the computer?
Section 4: Spybot – Search and Destroy (A Non-Browser Tracking Cookie Solution)
Web browsers only provide limited control over cookies, and most of the “control” is just blocking all of a certain type of cookie. Thankfully, most cookies on the internet are purely to provide services to the user. While there is the option to block all cookies, this severely limits the power of the internet. There is a third-party solution to help with this problem. This is a program known as “Spybot – Search and Destroy”, or simply just Spybot. Spybot is freeware, so costs are not an issue. For personal use, Spybot can be downloaded from
This experiment will be done on your Windows XP virtual machine.
- Start up your Windows XP virtual machine
- Download from the NAS server to your XP machine the following files: “Firefox Setup 2.0.0.11.exe”, “spybotsd15.exe”, “spybotsd_includes.exe”, and “cookies.txt”. They will be included in the cookies_spybot.zip file.
- Using basic Windows installation techniques, install Firefox Setup 2.0.0.11.exe.
- Using basic Windows installation techniques, install spybotsd15.exe.
- Using basic Windows installation techniques, install spybotsd_includes.exe.
- Assuming you installed Firefox with default settings, put the cookies.txt file into this directory: “C:\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\Profiles\<random characters>.default”
After installation, run Spybot; thenclick on the “Mode” menu at the top and choose advanced user. Then on the left-pane choose the settings block. Inside settings choose “File Sets”. Once inside the menu, the scanning options can be selected. Since all we want is to use this software for tracking cookies, un-select all the options except “cookies.sbi”. If you have done everything correctly then your screen should look like the below screenshot.