Hack 52. Stomp on Cookies
Track, trap, configure, kill, create, and otherwise diddle with HTTP cookies.
HTTP is a stateless protocol, meaning that each web request made by the browser is independent of all other requests. This greatly preserves the user's privacy. Cookies are an enhancement to the HTTP standard that introduces tracking information that web browsers and servers can share. That tracking information consists of (usually) a single HTTP header line that goes back and forth between the User Agent (browser) and the server. They include a small amount of access-control information based on URLs and expiry dates. This hack explains how to manipulate cookies from the browser side, once they're generated.
Cookies are based on a vendor specification written by Netscape Corporation (you can view that specification at http://wp.netscape.com/newsref/std/cookie_spec.html). Since then, cookies have been more formally defined in RFC 2109. The name cookie derives from the intended use of the header data: the supply of an opaque token useful only for session identification (from magic cookie).
Particularly in Netscape 4.x and earlier, the number of cookies that browsers would maintain per site was limited to 20. That limit no longer applies, even though one cookie per site is usually enough.
5.10.1. Using the Cookie Manager
To Open Firefox's Cookie Manager, start with the Options Dialog Box, click Privacy and expand the Cookies item that appears in the right pane. Click on Exceptions to view a blacklist of sites that you don't want to create cookies for you. Alternatively, select View Cookies to manage the currently stored cookies. The Cookie Manager won't let you modify cookies in place; you can only delete them or ban sites from using them.
The options variously reported as "Keep Cookies until I close Firefox" or "Allow for Session" mean the same thing: the cookies will not be written to a file on disk. When they are written, cookies appear in the human-readable file cookies.txt, stored in the user profile.
To delete lots of cookies at once, open the View Cookies dialog box and use Windows-style mouse-selection techniques. Left-click to highlight one cookie, and then Shift-left-click to highlight another cookie that marks the end of a set to be deleted. The resulting block of highlighted cookies can then all be deleted by clicking the Delete button. Similarly, you can select noncontiguous cookies with Control-left-click (Command-left-click on Macintosh).
5.10.2. Using Cookie Extensions
There are at least two extensions available for manipulating cookies.
126.96.36.199 View Cookies extension
To locate the View Cookies extension, open the Extension Manager and go to the end of the All list of extensions. It's also available at http://www.bitstorm.org/extensions/. This extension discreetly adds an additional tab to the ToolsPage Info dialog box that allows you to view details of the current web page. Figure 5-8 shows this tab after it's been selected and after the sole existing cookie has also been clicked.
Figure 5-8. The Cookies tab added by the View Cookies extension
188.8.131.52 Add & Edit Cookies extension
You can find the Add & Edit Cookies extension at http://addneditcookies.mozdev.org/. At the time of writing, it's brand new to Firefox, and where View Cookies is discreetly minimal, Add & Edit Cookies does everything you could ever want. In particular, you can change cookies live while the browser is running, and you're not restricted to changing cookies relevant to the currently displayed web page. You can also filter cookies by site.
Once installed, choose ToolsCookie Editor to start up this extension. The windows can be poorly sized when they first appear; to fix that, just drag the bottom-right corner with the mouse until they're big enough. They'll stay resized while the current profile exists.
Figure 5-9 shows the editing delights that Add & Edit Cookies provides.
Figure 5-9. The main window of the Add & Edit Cookies extension
5.10.3. Scripting Cookies
This last point bears brief description. In ECMAScript terms, the [[Get]] and [[Put]] operations on the cookie property are both unusual. If you assign anything to the property, the [[Get]] operation treats it as a single cookie and adds it to the cookie database. If you use the property's value in an expression, the [[Put]] operation provides a report (as a string) of all cookies relevant to the current page.
In short, just don't do it. Note that a secure web page or a secure extension has access to all the cookies in the browser. A hostile extension could share that information between conspiring web sites. This is a form of identity trading, although you are guaranteed anonymity at all web sites, provided that you never supply personal details.