A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data.

Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer . However, they can be used by spyware to track user's browsing activities – a major privacy concern that prompted European and US law makers to take action. Cookies could also be stolen by hackers to gain access to a victim's web account.

History

The term "cookie" was derived from "magic cookie", which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994. At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.

Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies. The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, and was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.

The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. The general public learned about them after the ''Financial Times'' published an article about them on February 12, 1996. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.

The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. On February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.

At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.

A definitive specification for cookies as used in the real world was a long time coming, but was finally published as RFC 6265 in April 2011.

Terminologies

Session cookie

A session cookie only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.

Persistent cookie

A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.

Secure cookie

A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

HttpOnly cookie

The HttpOnly session cookie is supported by most modern browsers. On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.. It is important to realize this feature applies only to session-management cookies, and not other browser cookies.

Third-party cookie

First-party cookies are cookies set with the same domain (or its subdomain) in your browser's address bar. Third-party cookies are cookies being set with different domains than the one shown on the address bar.

For example: Suppose a user visits www.example1.com, which sets a cookie with the domain ad.foxytracking.com. When the user later visits www.example2.com, another cookie is set with the domain ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.

Zombie cookie

A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.

Uses

Session management

Cookies may be used to maintain data related to the user during navigation, possibly across multiple visits. Cookies were introduced to provide a way to implement a "shopping cart" (or "shopping basket"), a virtual device into which users can store items they want to purchase as they navigate throughout the site.

Shopping basket applications today usually store the list of basket contents in a database on the server side, rather than storing basket items in the cookie itself. A web server typically sends a cookie containing a unique session identifier. The web browser will send back that session identifier with each subsequent request and shopping basket items are stored associated with a unique session identifier.

Allowing users to log in to a website is a frequent use of cookies. Typically the web server will first send a cookie containing a unique session identifier. Users then submit their credentials and the web application authenticates the session and allows the user access to services.

Personalization

Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.

Many websites use cookies for personalization based on users' preferences. Users select their preferences by entering them in a web form and submitting the form to the server. The server encodes the preferences in a cookie and sends the cookie back to the browser. This way, every time the user accesses a page, the server is also sent the cookie where the preferences are stored, and can personalize the page according to the user preferences. For example, the Wikipedia website allows authenticated users to choose the webpage skin they like best; the Google search engine allows users (even non-registered ones) to decide how many search results per page they want to see.

Tracking

Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:

# If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user; the server creates a random string and sends it as a cookie back to the browser together with the requested page; # From this point on, the cookie will be automatically sent by the browser to the server every time a new page from the site is requested; the server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.

By looking at the log file, it is then possible to find out which pages the user has visited and in what sequence.

Implementation

Cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.

Cookie specifications suggest that browsers should be able to save and send back a minimal number of cookies. In particular, an internet browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.

Setting a cookie

Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request. For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that looks like the following one:

{| | | | |- | browser |

-------→ | server |}

The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:

{| | | | |- | browser |

←------- | server |}

The server sends lines of Set-Cookie only if the server wishes the browser to store cookies. Set-Cookie is a directive for the browser to store the cookie and send it back in future requests to the server (subject to expiration time or other cookie attributes), if the browser supports cookies and cookies are enabled. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:

{| | | | |- | browser |

-------→ | server |}

This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.

The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.

The term "cookie crumb" is sometimes used to refer to the name-value pair. This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique, however, may be implemented using cookies.

Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name temperature and value 20.

Cookie attributes

Besides the name-value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, secure flag and httponly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.

Domain and Path

The cookie domain and path define the scope of the cookie—they tell the browser that cookies should only be sent back to the server for the given domain and path. If not specified, they default to the domain and path of the object that was requested. An example of Set-Cookie directives from a website after a user logged in:

{| | | |}

The first cookie LSID has default domain docs.foo.com and Path /accounts, which tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts. The other 2 cookies HSID and SSID would be sent back by the browser while requesting any subdomain in .foo.com on any path, for example www.foo.com/.

Expires and Max-Age

The Expires directive tells the browser when to delete the cookie. It is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”, indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 2109 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie. An example of Set-Cookie directives from a website after a user logged in:

{| | | |}

The first cookie lu is set to expire sometime in 15-Jan-2013; it will be used by the client browser until that time. The second cookie made_write_conn does not have an expiration date, making it a session cookie. It will be deleted after the user closes his/her browser. The third cookie reg_fb_gate has its value changed to ''deleted'', with an expiration time in the past. The browser will delete this cookie right away – note that cookie will only be deleted when the domain and path attributes in the Set-Cookie field match the values used when the cookie was created.

Secure and HttpOnly

The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.

The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. Naturally, web servers should set Secure cookies via secure/encrypted connections, lest the cookie information be transmitted in a way that allows eavesdropping when first sent to the web browser.

The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.

Browser settings

Most modern browsers support cookies and allow the user to disable them. The following are common options: # To enable or disable cookies completely, so that they are always accepted or always blocked. # To allow the user to see the cookies that are active with respect to a given page by typing javascript:alert(document.cookie) in the browser URL field. Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser. # By default, Internet Explorer allows only third-party cookies that are accompanied by a P3P "CP" (Compact Policy) field.

Most browsers also allow a full wipe of private data including cookies. Add-on tools for managing cookie permissions also exist.

Privacy and third-party cookies

Cookies have some important implications on the privacy and anonymity of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called ''third-party cookies''. The standards for cookies, RFC 2109 and RFC 2965, specify that browsers should protect user privacy and not allow third-party cookies by default. But most browsers, such as Mozilla Firefox, Internet Explorer, Opera and Google Chrome do allow third-party cookies by default, as long as the third-party website has Compact Privacy Policy published.

Advertising companies use third-party cookies to track a user across multiple sites. In particular, an advertising company can track a user across all pages where it has placed advertising images or web bugs. Knowledge of the pages visited by a user allows the advertising company to target advertisements to the user's presumed preferences.

Website operators who do not disclose third-party cookie use to consumers run the risk of harming consumer trust if cookie use is discovered. Having clear disclosure (such as in a privacy policy) tends to eliminate any negative effects of such cookie discovery.

The possibility of building a profile of users is considered by some a potential privacy threat, especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.

The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers which had visited its web site. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them. On December 25, 2005, Brandt discovered that the National Security Agency had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the National Security Agency immediately disabled the cookies.

The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies. In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if: #the user is provided information about how this data is used; #the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule. This directive was expected to have been applied since October 2003, but a December 2004 report says (page 38) that this provision was not applied in practice, and that some member countries (Slovakia, Latvia, Greece, Belgium, and Luxembourg) did not even implement the provision in national law. The same report suggests a thorough analysis of the situation in the Member States.

The P3P specification includes the possibility for a server to state a privacy policy, which specifies which kind of information it collects and for which purpose. These policies include (but are not limited to) the use of information gathered using cookies. According to the P3P specification, a browser can accept or reject cookies by comparing the privacy policy with the stored user preferences or ask the user, presenting them the privacy policy as declared by the server.

Many web browsers including Apple's Safari and Microsoft Internet Explorer versions 6 and 7 support P3P which allows the web browser to determine whether to allow third-party cookies to be stored. The Opera web browser allows users to refuse third-party cookies and to create global and specific security profiles for Internet domains. Firefox 2.x dropped this option from its menu system but it restored it with the release of version 3.x.

Third-party cookies can be blocked by most browsers to increase privacy and reduce tracking by advertising and tracking companies without negatively affecting the user's Web experience. Many advertising operators have an opt-out option to behavioural advertising, with a generic cookie in the browser stopping behavioural advertising.

Cookie theft and session hijacking

Most web sites use cookies as the only identifiers for user sessions, because other methods of identifying web users have limitations and vulnerabilities. If a web site uses cookies as session identifiers, attackers can impersonate users’ requests by stealing a full set of victims’ cookies. From the web server's point of view, a request from an attacker has the same authentication as the victim’s requests; thus the request is performed on behalf of the victim’s session.

Listed here are various scenarios of cookie theft and user session hijacking (even without stealing user cookies) which work with web sites which rely solely on HTTP cookies for user identification.

Network eavesdropping

Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi). This traffic includes cookies sent on ordinary unencrypted HTTP sessions. Where network traffic is not encrypted, attackers can therefore read the communications of other users on the network, including HTTP cookies as well as the entire contents of the conversations.

An attacker could use intercepted cookies to impersonate a user and perform a malicious task, such as transferring money out of the victim’s bank account.

This issue can be resolved by securing the communication between the user's computer and the server by employing Transport Layer Security (HTTPS protocol) to encrypt the connection. A server can specify the ''Secure'' flag while setting a cookie, which will cause the browser to send the cookie only over an encrypted channel, such as an SSL connection.

Publishing false sub-domain – DNS cache poisoning

Via DNS cache poisoning, an attacker might be able to cause a DNS server to cache a fabricated DNS entry, say f12345.www.example.com with the attacker’s server IP address. The attacker can then post an image URL from his own server (for example, http://f12345.www.example.com/img_4_cookie.jpg). Victims reading the attacker’s message would download this image from f12345.www.example.com. Since f12345.www.example.com is a sub-domain of www.example.com, victims’ browsers would submit all example.com-related cookies to the attacker’s server; the compromised cookies would also include ''HttpOnly'' cookies.

This vulnerability is usually for Internet Service Providers to fix, by securing their DNS servers. But it can also be mitigated if www.example.com is using ''Secure'' cookies. Victims’ browsers will not submit ''Secure'' cookies if the attacker’s image is not using encrypted connections. If the attacker chose to use HTTPS for his img_4_cookie.jpg download, he would have the challenge of obtaining an SSL certificate for f12345.www.example.com from a Certificate Authority. Without a proper SSL certificate, victims’ browsers would display (usually very visible) warning messages about the invalid certificate, thus alerting victims as well as security officials from www.example.com.

Cross-site scripting – cookie theft

Scripting languages such as JavaScript and JScript are usually allowed to access cookie values and have some means to send arbitrary values to arbitrary servers on the Internet. These facts are used in combination with sites allowing users to post HTML content that other users can see.

As an example, an attacker may post a message on www.example.com with the following link:

Click here!

When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document.cookie with the list of cookies of the user that are active for the page. As a result, this list of cookies is sent to the attacker.com server. If the attacker’s posting is on https://www.example.com/somewhere, secure cookies will also be sent to attacker.com in plain text.

Cross-site scripting is a constant threat, as there are always some crackers trying to find a way of slipping in script tags to websites. It is the responsibility of the website developers to filter out such malicious code.

In the meantime, such attacks can be mitigated by using ''HttpOnly'' cookies. These cookies will not be accessible by client side script, and therefore the attacker will not be able to gather these cookies.

Cross-site scripting – just do it

If an attacker was able to insert a piece of script to a page on www.example.com, and a victim’s browser was able to execute the script, the script could simply carry out the attack. This attack would use victim’s browser to send HTTP requests to servers directly; therefore, the victim’s browser would submit all relevant cookies, including ''HttpOnly'' cookies, as well as ''Secure'' cookies if the script request is on HTTPS.

For example, on MySpace, Samy posted a short message “Samy is my hero” on his profile, with a hidden script to send Samy a “friend request” and then post the same message on the victim’s profile. A user reading Samy’s profile would send Samy a “friend request” and post the same message on this person’s profile. Then, the third person reading the second person’s profile would do the same. Pretty soon, this Samy worm became one of the fastest spreading viruses of all time.

This type of attack (with automated scripts) would not work if a website had CAPTCHA to challenge client requests.

Cross-site scripting – proxy request

In older version of browsers, there were security holes allowing attackers to script a proxy request by using XMLHttpRequest. For example, a victim is reading an attacker’s posting on www.example.com, and the attacker’s script is executed in the victim’s browser. The script generates a request to www.example.com with the proxy server attacker.com. Since the request is for www.example.com, all example.com cookies will be sent along with the request, but routed through the attacker’s proxy server, hence, the attacker can harvest victim’s cookies.

This attack would not work for ''Secure'' cookie, since ''Secure'' cookies go with HTTPS connections, and its protocol dictates end-to-end encryption, i.e., the information is encrypted on the user’s browser and decrypted on the destination server www.example.com, so the proxy servers would only see encrypted bits and bytes.

Cross-site Request Forgery

For example, Bob might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references an action on Bob's bank's website (rather than an image file), e.g.,

If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.

Drawbacks of cookies

Besides privacy concerns, cookies also have some technical drawbacks. In particular, they do not always accurately identify users, they can be used for security attacks, and they are often at odds with the Representational State Transfer (REST) software architectural style.

Inaccurate identification

If more than one browser is used on a computer, each usually has a separate storage area for cookies. Hence cookies do not identify a person, but a combination of a user account, a computer, and a Web browser. Thus, anyone who uses multiple accounts, computers, or browsers has multiple sets of cookies.

Likewise, cookies do not differentiate between multiple users who share the same user account, computer, and browser.

Inconsistent state on client and server

The use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition. As an example, if the shopping cart of an online shop is built using cookies, the content of the cart may not change when the user goes back in the browser's history: if the user presses a button to add an item in the shopping cart and then clicks on the "Back" button, the item remains in the shopping cart. This might not be the intention of the user, who possibly wanted to undo the addition of the item. This can lead to unreliability, confusion, and bugs. Web developers should therefore be aware of this issue and implement measures to handle such situations as this.

Alternatives to cookies

Some of the operations that can be done using cookies can also be done using other mechanisms.

IP address

Some users may be tracked based on the IP address of the computer requesting the page. The server knows the IP address of the computer running the browser or the proxy, if any is used, and could theoretically link a users session to this IP address. However, these addresses are not reliable in identifying a user because computers and proxies are very often shared by several users.

Some systems such as Tor are designed to retain Internet anonymity and make tracking by IP address impractical or impossible.

URL (query string)

A more precise technique is based on embedding information into URLs. The query string part of the URL is the one that is typically used for this purpose, but other parts can be used as well. The Java Servlet and PHP session mechanisms both use this method if cookies are not enabled.

This method consists of the Web server appending query strings to the links of a Web page it holds when sending it to a browser. When the user follows a link, the browser returns the attached query string to the server.

Query strings used in this way and cookies are very similar, both being arbitrary pieces of information chosen by the server and sent back by the browser. However, there are some differences: since a query string is part of a URL, if that URL is later reused, the same attached piece of information is sent to the server. For example, if the preferences of a user are encoded in the query string of a URL and the user sends this URL to another user by e-mail, those preferences will be used for that other user as well.

Moreover, even if the same user accesses the same page two times, there is no guarantee that the same query string is used in both views. For example, if the same user arrives to the same page but coming from a page internal to the site the first time and from an external search engine the second time, the relative query strings are typically different while the cookies would be the same. For more details, see query string.

Other drawbacks of query strings are related to security: storing data that identifies a session in a query string enables or simplifies session fixation attacks, referrer logging attacks and other security exploits. Transferring session identifiers as HTTP cookies is more secure.

Hidden form fields

Another form of session tracking is to use web forms with hidden fields. This technique is very similar to using URL query strings to hold the information and has many of the same advantages and drawbacks; and if the form is handled with the HTTP GET method, the fields actually become part of the URL the browser will send upon form submission. But most forms are handled with HTTP POST, which causes the form information, including the hidden fields, to be appended as extra input that is neither part of the URL, nor of a cookie.

This approach presents two advantages from the point of view of the tracker: first, having the tracking information placed in the HTML source and POST input rather than in the URL means it will not be noticed by the average user; second, the session information is not copied when the user copies the URL (to save the page on disk or send it via email, for example).

This method can be easily used with any framework that supports web forms.

window.name

All current web browsers can store a fairly large amount of data (2–32 MB) via JavaScript using the DOM property window.name. This data can be used instead of session cookies and is also cross-domain. The technique can be coupled with JSON/JavaScript objects to store complex sets of session variables on the client side.

The downside is that every separate window or tab will initially have an empty ''window.name''; in times of tabbed browsing this means that individually opened tabs ''(initiation by user)'' will not have a window name. Furthermore ''window.name'' can be used for tracking visitors across different web sites, making it of concern for Internet privacy.

In some respects this can be more secure than cookies due to not involving the server, so it is not vulnerable to ''network'' cookie sniffing attacks. However if special measures are not taken to protect the data, it is vulnerable to other attacks because the data is available across different web sites opened in the same window or tab.

HTTP authentication

The HTTP protocol includes the basic access authentication and the digest access authentication protocols, which allow access to a Web page only when the user has provided the correct username and password. If the server requires such credentials for granting access to a web page, the browser requests them from the user and, once obtained, the browser stores and sends them in every subsequent page request. This information can be used to track the user.

See also

Dynamic HTML

Evercookie

Local Shared Object – Flash Cookies

Session Beans

Session (computer science)

Session ID

Web server session management

Web Storage and DOM Storage

Web visitor tracking

Zombie cookie

References

External links

RFC 6265 – the official specification for HTTP cookies

Information About Cookies from Microsoft

Cookies at the Electronic Privacy Information Center (EPIC)

Taking the Byte Out of Cookies: Privacy, Consent, and the Web (PDF)

Web handbook – Cookies from Delivery And Transformation Group, Cabinet Office, UK

Cookie-Based Counting Overstates Size of Web Site Audiences at ComScore

Don’t Tread on Our Cookies – The Web Privacy Manifesto at PBS

Mozilla Knowledgebase: Cookies

Category:HTTP Cookie Category:Internet privacy Category:Wikipedia articles with ASCII art Category:Computer access control

af:Koekie (rekenaarwetenskap) als:Cookie ar:سجل المتصفح ba:Cookie bg:HTTP-бисквитка ca:Galeta (informàtica) cs:HTTP cookie da:Cookie de:HTTP-Cookie et:HTTP küpsis el:HTTP cookies es:Cookie eo:Kuketo eu:Cookie fa:کوکی اچ‌تی‌تی‌پی fr:Cookie (informatique) ko:HTTP 쿠키 id:Kuki HTTP is:Kaka (tölvunarfræði) it:Cookie he:עוגייה (אינטרנט) sw:Kuki lv:Sīkdatne li:Cookie hu:HTTP-süti mr:स्मृतीशेष nl:Cookie (internet) nds-nl:Koekien (internet) ja:HTTP cookie no:Informasjonskapsel pl:Ciasteczko pt:Cookie ro:Cookie ru:HTTP cookie simple:HTTP cookie fi:Eväste sv:Cookie th:เอชทีทีพีคุกกี้ tr:Çerez uk:Куки vi:Cookie yi:קוקי zh-yue:HTTP曲奇 zh:Cookie

Coordinates	37°46′45.48″N122°25′9.12″N
name	Dwight Howard
height ft	6 | height_in 11 | weight_lb 265
team	Orlando Magic
number	12
position	Center
birth date	December 08, 1985
birth place	Atlanta, Georgia
high school	Southwest Atlanta Christian Academy
nationality	American
draft round	1
draft pick	1
draft year	2004
draft team	Orlando Magic
career start	2004
years1	–present | team1 Orlando Magic
highlights	3× NBA Defensive Player of the Year (–) 5× NBA All-Star (2007–2011) 4× All-NBA First Team (–) All-NBA Third Team () 3× NBA All-Defensive First Team (–) NBA All-Defensive Second Team () NBA Slam Dunk Champion (2008) NBA All-Rookie First Team (2005) Naismith Prep Player of the Year (2004) }}

Dwight David Howard (born December 8, 1985) is an American basketball player for the Orlando Magic of the National Basketball Association (NBA). Howard, who usually plays center but can also play power forward, had an outstanding high school career at Southwest Atlanta Christian Academy. He chose to forgo college and entered the 2004 NBA Draft, and was selected first overall by the Magic. A five-time All-Star, five-time All-NBA team selection, four-time All-Defensive member, and three-time Defensive Player of the Year, Howard has been ranked consistently as one of the best in the league in rebounds, blocks, field goal percentage and free throw attempts, and has set numerous franchise and league records. He has led the Magic to three division titles and one conference title, and he was the winner of the 2008 NBA Slam Dunk Contest. In the 2008 Olympics, he was the starting center for Team USA, which went on to win the gold medal.

Before he was drafted in 2004, Howard said that he wanted to use his NBA career and Christian faith to "raise the name of God within the league and throughout the world". In November 2009, he was named one of the 10 finalists for the Jefferson Awards for Public Service, which awards athletes for their charitable work.

Early life

Howard was born in Atlanta, Georgia to Dwight Sr. and Sheryl Howard and into a family with strong athletic connections. His father is a Georgia State Trooper and serves as Athletic Director of Southwest Atlanta Christian Academy, a private academy with one of the best high school basketball programs in the country, while his mother played on the inaugural women's basketball team at Morris Brown College. A devout Christian since his youth, Howard became serious about basketball around the age of nine; when in the eighth grade, he resolved to be selected as the number one pick in the NBA Draft one day. Despite his large frame, Howard was quick and versatile enough to play the guard position. He elected to attend Southwest Atlanta Christian Academy for high school, and in his four years he played mostly as power forward, averaging 16.6 points per game (ppg), 13.4 rebounds per game (rpg) and 6.3 blocks per game in 129 appearances. As a senior, Howard led his team to the 2004 state title. He averaged 25 points, 18 rebounds, 8.1 blocks and 3.5 assists per game. That same year, Howard was widely recognized as the best American high school basketball player, and he was awarded the Naismith Prep Player of the Year Award, the Morgan Wootten High School Player of the Year Award, Gatorade National Player of the Year and the McDonald's National High School Player of the Year honor. He was also co-MVP (with J. R. Smith) of the McDonald's High School All-American Game that year.

NBA career

Early years

Following his high school successes, Howard chose to forego college and declared for the 2004 NBA Draft—a decision partly inspired by his idol Kevin Garnett who had done the same in 1995—where the Orlando Magic selected him first overall over UConn junior Emeka Okafor. He took the number 12 for his jersey, in part because it was the reverse of Garnett's 21 when he played for Minnesota. Howard joined a depleted Magic squad that had finished with only 21 victories the previous season; further, the club had just lost perennial NBA All-Star Tracy McGrady. Howard, however, made an immediate impact. He finished his rookie season with an average of 12.0 ppg and 10.0 rpg, setting several NBA records in the process. He became the youngest player in NBA history to average a double double in the regular season. He also became the youngest player in NBA history to average at least 10.0 rebounds in a season and youngest NBA player ever to record at least 20 rebounds in a game. Howard's importance to the Magic was highlighted when he became the first player in NBA history directly out of high school to start all 82 games during his rookie season. For his efforts, he was selected to play in the 2005 NBA Rookie Challenge, and was unanimously selected to the All-Rookie Team. He also finished third to fellow center Okafor of the Charlotte Bobcats and guard Ben Gordon of the Chicago Bulls for the Rookie of the Year award.

Howard reported to camp for his second NBA campaign having added 20 pounds of muscle during the off-season. Orlando coach Brian Hill—responsible for grooming former Magic superstar Shaquille O'Neal—decided that Howard should be converted into a full-fledged center. Hill identified two areas where Howard needed to improve: his post-up game, and his defense. He exerted extra pressure on Howard, saying that the Magic would need him to emerge as a force in the middle before the team had a chance at the playoffs. Even though the big man played tentatively at times, he was able to build on his strong rookie year with an impressive sophomore season. On November 15, 2005, in a home game against the Charlotte Bobcats, Howard scored 21 points and 20 rebounds, becoming the youngest player ever to score 20 or more points and gather 20 or more rebounds in the same game. He was selected to play on the Sophomore Team in the 2006 Rookie Challenge during the All-Star break, and on April 15, 2006, he recorded a career-high 26 rebounds against the Philadelphia 76ers; his 28 points in that game also brought him close to an NBA rarity, a 30–30 game. Overall, he averaged 15.8 points and 12.5 rebounds per game, ranking second in the NBA in rebounds per game, offensive rebounds, and double doubles; and sixth in field goal percentage. Despite Howard's improvement, the Magic finished the season with a 36–46 win-loss record and failed to qualify for the playoffs for the second consecutive season since Howard's arrival.

Howard took another step forward as the franchise player for Orlando in the 2006–07 season, and for the third consecutive season he played in all 82 regular season games. On February 1, 2007, he received his first NBA All-Star selection as a reserve on the Eastern Conference squad for the 2007 NBA All-Star Game. Howard finished the game with 20 points and 12 rebounds. Less than a week later, he recorded a career-high 32 points against the Toronto Raptors. A highlight was his game-winning alley-oop off an inbound at the buzzer against the San Antonio Spurs at Amway Arena on February 9. As the push for playoff spots intensified, Howard was instrumental, recording another career-high 35 points against the Philadelphia 76ers on April 14, 2007. Under his leadership, the Magic qualified for the 2007 NBA Playoffs for the first time since 2003 as the number eight seed in the Eastern Conference. However, the Magic were swept by the eventual Eastern Conference finalist Detroit Pistons in the first round. Howard averaged 17.6 points and 12.3 rebounds per game, and finished first in the NBA in total rebounds, second in field goal percentage, and ninth in blocks. He was further recognized as one of the best players in the league when he was named to the All-NBA Third Team at the end of the 2006–07 campaign.

Leader of consecutive division champions

Howard continued posting impressive numbers in the 2007–08 season; with free agent Rashard Lewis added to the ranks alongisde Hedo Türkoğlu to provide an extra offensive spark, this was the Magic's best season yet. Howard's strong and consistent play ensured that he was named as a starter for the Eastern Conference All-Star team, and by the time the mid-season break arrived, he was leading the league in double doubles (he concluded the season with a league-high 69) and had recorded 20 points and 20 rebounds in a game on five occasions (eight by the season's end). On February 16, 2008, he won the 2008 NBA slam dunk contest by receiving 78% of the fan's votes via text messaging or online voting; in that contest, he performed a series of innovative dunks said to have rejuvenated the contest, including donning a Superman cape for one of the dunks. Howard led the Magic to their first division title in 12 years and to the third seed for the 2008 NBA Playoffs, and in the first-round match-up against the Toronto Raptors, Howard's dominance (three 20 point/20 rebound games) and point guard Jameer Nelson's strong play ensured that Orlando prevailed over five games. Howard's series total of 91 rebounds was also greater than the total rebounds collected by the entire Toronto frontcourt. In the next round against the Pistons, the Magic lost the first two road games before Howard's 20 point/12 rebound performance in Game 3 salvaged a home win. In that same week, the center was named to the All-NBA First Team for the first time, and subsequently, the NBA All-Defensive Second Team. Detroit played without their star point guard Chauncey Billups for Games 4 and 5, but Orlando was unable to capitalize on that and lost the series 4–1 to the veteran playoffs team.

The 2008–09 campaign began well for Howard. Ten games into the season, the center was leading the league in blocks per game (4.2) and even recorded his first triple-double: 30 points, 19 rebounds and 10 blocks. At the halfway point of the season, Howard was leading the league in rebounds and blocks, and was among the league leaders in field goal percentage. He garnered a record 3.1 million votes to earn the starting berth on the Eastern Conference team for the 2009 NBA All-Star game. On March 25, 2009, Howard led Orlando to its second straight Southeast Division title with 11 games of the regular season left to play, and eventually the third seed for the 2009 NBA Playoffs with a 59–23 record. On April 21, 2009, he became the youngest player ever to win the NBA Defensive Player of the Year Award, achieving a goal he had set for himself before the start of the season. The Magic went into the playoffs without its injured starting point guard Jameer Nelson, and in the first round against the 76ers, Howard recorded 24 points and 24 rebounds in Game 5 to give Orlando a 3–2 lead, before the Magic closed out the series in six games. On May 6, 2009, the center was named to the NBA All-Defensive First Team, and a week later, to the All-NBA First Team. In the second round of the playoffs against the defending champions Boston, the Magic blew a lead in Game 5 and Howard publicly questioned coach Stan Van Gundy's tactics and said that he should be given the ball more; in Game 6, the center posted 23 points and 22 rebounds to force the series into seven games. The Magic went on to defeat Boston, and then defeated Cleveland—which was led by league MVP LeBron James—4–2 in the Eastern Conference Finals. Howard had a playoffs career-high 40 points to go with his 14 rebounds in the deciding Game 6, leading Orlando to its first NBA Finals in 14 years. The Los Angeles Lakers took the first two home games to establish a 2–0 lead in the Finals, before a home win by the Magic brought the score to 2–1. In Game 4, despite Howard putting up 21 rebounds and a Finals-record of 9 blocks in a game, the Magic lost in overtime. The Lakers went on to win Game 5, and the NBA Finals.

The Magic went into the 2009–10 season with one major roster change: Türkoğlu departed for the Toronto Raptors, while eight-time NBA All-Star Vince Carter arrived from the New Jersey Nets. As with the previous two seasons, the Magic got off to a strong start, winning 17 of their first 21 games, setting a franchise record in the process. He also picked up two Conference Player of the Week awards. On January 21, 2010, Howard was named as the starting center for the East in the 2010 NBA All-Star Game. Not long after the Magic completed the regular season with 59 wins and their third consecutive division title, Howard won the Defensive Player of the Year Award for the second straight year. He became the first player in NBA history to lead the league in blocks and rebounds in the same season twice—and for two years in a row. During the playoffs, the Magic defeated both Charlotte and Atlanta 4 games to none, in the first and second rounds respectively. In reaching the Conference Finals again, the Magic faced Boston—who had upset Cleveland in the Semifinals—Orlando lost the first three games, took the next two, but finally succumbed in Game 6.

Several teams in the Eastern Conference underwent significant roster changes to present a bigger challenge to Howard's Magic in the 2010–11 season: LeBron James and Chris Bosh teamed up with Dwyane Wade in Miami; Carlos Boozer was added to the Chicago Bulls; the aging Boston Celtics acquired Shaquille O'Neal and Jermaine O'Neal; and Amar'e Stoudemire and Carmelo Anthony joined New York. On Orlando's end, Türkoğlu returned, Carter and Jason Richardson of the Phoenix Suns swapped teams, as did Lewis and Gilbert Arenas of the Washington Wizards. The Magic won 52 games in the regular season, and were seeded 4th in the Eastern Conference. Despite Howard posting career-highs in points and shooting percentages, the Magic lost to their first-round opponents in the playoffs, the Atlanta Hawks.

NBA honors, awards and achievements

Howard has amassed several NBA and franchise records and awards during his NBA career. He has led the league in rebounds per game three times, blocks per game twice, and double-doubles twice. He is also the youngest player in NBA history to reach one, two, three, four, five, six and seven thousand career rebounds, and the youngest player in NBA history to lead the league in rebounding and blocks. Following Howard's season, he became the first ever NBA player to lead the league in total rebounds for five consecutive seasons. He surpassed Wilt Chamberlain's record of four from —, and again from —. He became the first player to lead the league in rebounding and blocks in consecutive seasons, and was also the first player to ever lead the league in rebounding, blocks, and field goal percentage in the same season. On April 18, 2011, Howard won the NBA’s Defensive Player of the Year Award, becoming the first player in league history to have won the award in three consecutive seasons.

:''Correct through regular season''

Regular season

Led the league

|- | align="left" | | align="left" | Orlando | 82 || 82 || 32.6 || .520 || .000 || .671 || 10.0 || .9 || .9 || 1.7 || 12.0 |- | align="left" | | align="left" | Orlando | 82 || 81 || 36.8 || .531 || .000 || .595 || 12.5 || 1.5 || .8 || 1.4 || 15.8 |- | align="left" | | align="left" | Orlando |82 || 82 || 36.9 || .603 || .500 || .586 || 12.3 || 1.9 || .9 || 1.9 || 17.6 |- | align="left" | | align="left" | Orlando | 82 || 82 || 37.7 || .599 || .000 || .590 ||bgcolor="CFECEC"| 14.2 || 1.3 || .9 || 2.2 || 20.7 |- | align="left" | | align="left" | Orlando | 79 || 79 || 35.7 || .572 || .000 || .594 ||bgcolor="CFECEC"| 13.8|| 1.4 || 1.0 ||bgcolor="CFECEC"| 2.9|| 20.6 |- | align="left" | | align="left" | Orlando | 82 || 82 || 34.7 || bgcolor="CFECEC"|.612|| .000 || .592 ||bgcolor="CFECEC"| 13.2 || 1.8 || .9 ||bgcolor="CFECEC"| 2.8 || 18.3 |- | align="left" | | align="left" | Orlando | 78 || 78 || 37.5 || .593 || .000 || .596 || 14.1 || 1.4 || 1.4 || 2.4 || 22.9 |-class="sortbottom" | align="left" colspan=2| Career | 567 || 566 || 36.0 || .578 || .038 || .598 || 12.9 || 1.5 || 1.0 || 2.2 || 18.2 |-class="sortbottom" | align="left" colspan=2| All-Star | 5 || 4 || 25.4 || .674 || .167 || .444 || 8.4 || 1.2 || 1.0 || 1.6 || 14.2

Playoffs

|- | align="left" | 2007 | align="left" | Orlando | 4 || 4 || 41.8 || .548 || .000 || .455 || 14.8 || 1.8 || .5 || 1.0 || 15.3 |- | align="left" | 2008 | align="left" | Orlando | 10 || 10 || 42.1 || .581 || .000 || .542 ||bgcolor="CFECEC"| 15.8|| .9 || .8 ||bgcolor="CFECEC"| 3.4 || 18.9 |- | align="left" | 2009 | align="left" | Orlando | 23 || 23 || 39.3 ||bgcolor="CFECEC"| .601|| .000 || .636 ||bgcolor="CFECEC"| 15.3 || 1.9 || .9 || 2.6 || 20.3 |- | align="left" | 2010 | align="left" | Orlando | 14 || 14 || 35.5 || .614 || .000 || .519 || 11.1 || 1.4 || .8 ||bgcolor="CFECEC"| 3.5|| 18.1 |- | align="left" | 2011 | align="left" | Orlando | 6 || 6 || 42.8 ||bgcolor="CFECEC"| .630|| .000 ||.682 ||bgcolor="CFECEC"| 15.5 || 0.5 || .7 || 1.8 || 27.0 |-class="sortbottom" | align="left" colspan=2| Career | 57 || 57 || 39.4 || .600 || .000 || .588 || 14.4 || 1.4 || .8 || 2.8 || 19.9

United States national team

}} Howard was named on 5 March 2006 to the 2006–2008 USA Basketball Men's Senior National Team program. As the team's regular starting center, he helped lead the team to a 5–0 record during its pre-World Championship tour, and subsequently helped the team win the bronze medal at the 2006 FIBA World Championship. During the FIBA Americas Championship 2007, Howard was on the team which won its first nine games en route to qualifying for the finals and a spot for the 2008 Olympics. He started in eight of those nine games, averaging 8.9 ppg, 5.3 rpg and led the team in shooting .778 from the field. In the finals, he made all seven of his shots and scored 20 points as the USA defeated Argentina to win the gold medal.

On June 23, 2008, Howard was named as one of the members of the 12-man squad representing the United States in the 2008 Olympic Games in Beijing. With Howard starting as center, Team USA won all of its games en route to the gold medal, breaking their drought of gold medals dating back to the 2000 Olympics. Howard averaged 10.9 points and 5.8 rebounds per game in the tournament.

Player profile

Howard is considered the "franchise player" of the Magic. He is the NBA's leading rebounder (also leading the league in 2007–08 and 2008–09); to illustrate, in a game against the Golden State Warriors on January 10, 2007, his 25 rebounds for the Magic outnumbered the total number of boards grabbed by the starting five of the Warriors. Howard's rebounding is in part facilitated by his extraordinary athleticism; his vertical leap is estimated at almost 40 inches, rare for a player of his size (6'11", 265 pounds). He demonstrated this skill memorably in the 2007 Slam Dunk Contest during the NBA All-Star Weekend, during which he completed an alley oop dunk from teammate Jameer Nelson and slapped a sticker onto the backboard which reached . The sticker showed an image of his own smiling face with a handwritten "All things through Christ Phil: 4:13," a paraphrase of Philippians 4:13. As of April 2011, Howard's career average of 12.9 rebounds per game (in the regular season) ranks 13th in NBA history. The center has also remained largely injury-free in his NBA career, playing in 351 consecutive games before missing his first game.

Howard's abilities and powerful physique have drawn attention from fellow NBA All-Stars. Tim Duncan once remarked in 2007: "[Howard] is so developed... He has so much promise and I am glad that I will be out of the league when he is peaking." Kevin Garnett echoed those sentiments: "[Howard] is a freak of nature, man... I was nowhere near that physically talented. I wasn't that gifted, as far as body and physical presence." Subsequent to a game in the 2009 NBA Playoffs, Philadelphia 76ers swingman Andre Iguodala said: "It's like he can guard two guys at once. He can guard his guy and the guy coming off the pick-and-roll, which is almost impossible to do... If he gets any more athletic or jumps any higher, they're going to have to change the rules." As early as December 2007, ESPN writer David Thorpe declared Howard to be the most dominant center in the NBA.

While many sports pundits have been rating Howard as one of the top young prospects in the NBA since 2006, Howard has some weaknesses in his game. Offensively, his shooting range remains limited; he is also mistake-prone, having led the NBA in total number of turnovers in the 2006–07 season. Like many centers, he has a low free throw conversion percentage. As a result, he is often a target of the Hack-a-Shaq defense and is annually among the league leaders in free throw attempts. During the 2007–08 regular season, Howard led the NBA with 897 free throw attempts while shooting only 59% from the free throw line. Also in that season, outside of layups and dunks, his shooting percentage was only 31.6%. In the 2008–09 season, he led the NBA again with 849 free throw attempts and in 2009–10, he was second in the NBA with 816.

Personal life

Before he was drafted in 2004, Howard said that he wanted to use his NBA career and Christian faith to "raise the name of God within the league and throughout the world". He has stated he believes in reaching out to his community and fans and thus contributes substantially in the field of philanthropy. An avid listener of Gospel music, he attends the Fellowship of Faith Church when he is back home in Atlanta and is involved and active with the youth programs at the church. Together with his parents, Howard also established the Dwight D. Howard Foundation Inc. in 2004. The Foundation provides scholarships for students who want to attend his alma mater, Southwest Atlanta Christian Academy, and grants to Lovell Elementary School and Memorial Middle School in Orlando, Florida. The Foundation also organizes summer basketball camps for boys and girls, and together with high school and college coaches and players, fellow NBA players are invited to be on hand at the camp. For his contributions in the Central Florida community, Howard received in 2005 the Rich and Helen De Vos Community Enrichment Award. Within the NBA itself, Howard has participated in several NBA "Read to Achieve" assemblies encouraging children to make reading a priority. In November 2009, the center was named one of the 10 finalists for the Jefferson Awards for Public Service, which awards athletes for their charitable work.

Elsewhere, Howard appeared as a special guest on an episode of the ABC series ''Extreme Makeover: Home Edition'' that aired 2 April 2006, in which Ty Pennington and his team built a new home and ministry offices for Sadie Holmes, who operates a social services ministry in the Orlando area.

Howard and Royce Reed, a former dancer for the team, have a son, Braylon.

See also

List of career achievements by Dwight Howard

List of National Basketball Association career blocks leaders

List of National Basketball Association season rebounding leaders

List of National Basketball Association season blocks leaders

List of National Basketball Association players with most blocks in a game

Notes

External links

Dwight Howard Official Site

Category:1985 births Category:Living people Category:African American basketball players Category:American basketball players Category:American Christians Category:Basketball players at the 2008 Summer Olympics Category:Centers (basketball) Category:Gatorade National Basketball Player of the Year Category:Male basketball centers Category:McDonald's High School All-Americans Category:National Basketball Association high school draftees Category:NBA Slam Dunk Contest champions Category:Olympic basketball players of the United States Category:Olympic gold medalists for the United States Category:Orlando Magic draft picks Category:Orlando Magic players Category:Parade High School All-Americans (boys' basketball) Category:People from Atlanta, Georgia Category:United States men's national basketball team members Category:NBA Defensive Player of the Year Award winners Category:Olympic medalists in basketball

ca:Dwight Howard cs:Dwight Howard da:Dwight Howard de:Dwight Howard el:Ντουάιτ Χάουαρντ es:Dwight Howard eu:Dwight Howard fa:دوایت هاورد fr:Dwight Howard gl:Dwight Howard ko:드와이트 하워드 hr:Dwight Howard id:Dwight Howard is:Dwight Howard it:Dwight Howard he:דווייט הווארד lv:Dvaits Hovards lt:Dwight Howard nl:Dwight Howard ja:ドワイト・ハワード no:Dwight Howard pl:Dwight Howard pt:Dwight Howard ru:Ховард, Дуайт simple:Dwight Howard sr:Двајт Хауард fi:Dwight Howard sv:Dwight Howard ta:டுவைட் ஹவர்ட் tr:Dwight Howard uk:Двайт Говард zh:迪韋特·侯活