Although cookies have become a major Internet cause célèbre, there really isn’t much difference between name/password-based and cookie-based authorization. In both cases, the browser transmits credentials to the server by way of an HTTP header—it’s either HTTP_AUTHORIZATION or HTTP_COOKIE. In both cases, security is weak when credentials travel over an unencrypted connection and much stronger when the data is encrypted with SSL. In both cases, authentication can persist so that users need not repeatedly assert their identities. The chief advantage of the cookie method is also its worst public-relations problem: cookies persist across browser sessions. (With basic authentication, credentials persist only during a session.) A cookie enables a server to recognize a user and authorize access automatically, without any input from the user. In order to do that, cookie data has to live on your hard disk. We’ll review what that data is, how it gets onto your hard disk, and how it can be used. But first let’s frame this volatile issue with a few observations: