JavaScript achieved its early popularity in part because of the assurances of the language’s safety. After all, JavaScript in browsers operates within a sandbox—a protective environment that stringently restricts access to the client’s machine. There are no mechanisms to open or create files; the language operates within a temporary environment, which is discarded as soon as the browser terminates or a web page is exited; if data is transmitted, the user is informed; and so on.

We learned over time that there is no way to completely protect the client machines, not when there are determined hackers ready to exploit even the smallest openings in browser or language. The only way to prevent this type of access is to completely close off the client machine from browser access, which makes the browser less than useful. After all, some of the more popular features of browsers are bookmarks, plug-ins and extensions, and remembering URLs and form-field entries. All of these require putting something on the client’s machine; many require the use of cookies.

Cookies: hate them, love them. Cookies are bits of data storage on the client based on key information, provided by the server, that allows JavaScript developers to persist information either during a session (until a browser is closed), or between sessions (web accesses). The original concept was that only those requests to get or write cookies associated with ...