Electronic commerce and business on the Internet is facilitated in large part by the World-Wide-Web. The HyperText Transport Protocol (HTTP) carries all interactions between Web servers and browsers. Since HTTP is stateless, it does not support continuity for browser-server interaction between successive user visits. Without a concept of session in HTTP, users are strangers to a Web site every time they access a page in a Web server.
Cookies were invented to maintain continuity and state on the Web [KM97, KM98]. Cookies contain strings of text characters encoding relevant information about the user. Cookies are sent to the user's computer (hard disk or RAM) via the browser while the user is visiting a cookie-using Web site. The Web server gets those cookies back and retrieves the user's information from the cookies when the user later returns to the same Web site. The purpose of a cookie is to acquire information and use it in subsequent communications between the server and the browser without asking for the same information again. Often times a server will set a cookie to hold a pointer, such as an identification number, as a user-specific primary key of the information database maintained in the server.
Technically, it is not difficult to make a cookie carry any relevant information. For instance, a merchant Web server could use a cookie which contains the user's name and credit card number. This is convenient for users, since they do not have to read lengthy numbers from their cards and key these in for every transaction. However, it is not safe to store and transmit sensitive information in cookies because cookies are insecure.