cancel
Showing results for 
Search instead for 
Did you mean: 

IP address in a cookie? Is that bad??

N/A

IP address in a cookie? Is that bad??

I just received a (genuine) message from PayPal, the online payment service used by sundry websites. The message was an HTML formatted message that I was reading via Microsoft Outlook.

From last week, I've had Internet Explorer set to prompt me for permission to store cookies, so that I could monitor what was going on with my PC.

Opening the message from Paypal requested permission to store a cookie; not only that, the cookie was a third party cookie (not from Paypal) *and* contained my correct IP address.

Firstly, I didn't realise that an HTML message can place a cookie just by reading the message and secondly, I think I should be very wary that my IP address is stored in the cookie, especially as it is a third party cookie that could then be transmitted to somewhere other than the originating site.

Is my understanding correct and should I be a) wary b) indifferent or c) angry enough to complain to Paypal?

Cheers

Jeremy
8 REPLIES
N/A

IP address in a cookie? Is that bad??

Any HTML page can place a cookie on your system. In e-mails, this is done by placing a Iframe or img tag pointing to an outside server.

These remote servers send the cookies to your browser, and not the e-mail itself.

Having your IP in the cookie does sound bad yes, however, compaining to PayPal will do little good. The third-party will likely be a advertising broker.

Have you got any more detail on the source of the said cookie?
Community Veteran
Posts: 14,469
Registered: 30-07-2007

IP address in a cookie? Is that bad??

First, configure IE cookie handling (tools->internet options->privacy tab -> advanced button) to override automatic cookie handling. Then only accept first party cookies and block third party cookies. Then tick allow session cookies.

This will stop many advertising cookies from being stored on your PC.

Next get a spyware/malware scanner like spybot search and destroy or Adaware and scan your system for cookies (you will have hundreds!). You can configure spybot to keep certain cookies (do this before scanning) and Adaware you can select which cookies to delete or keep after scanning.

Some cookies are good where you have asked to remember login detials or other info from a site (like a message board) but the majority are not required for normal browser operation and can be deleted.

Cookies are everywhere now and contain loads of personal info like IP addresses and what sites you have visited but they can be managed to cause limited impact on your system and protect your privacy.

Finally, watch out for pop-up windows. These are new browser windows that get created by advertising sites. Because the pop-up window exists the cookie it will store on your PC (and it will store a cookie) is classed as a 1st party cookie so you need to bloock the pop-ups to stop additional cookies being saved. For IE use Adshield but there are loads of other pop-up stoppers around to try. I use the Mozilla browser which has an inbuilt pop-up stopper.

Cheers

Peter Cool
N/A

IP address in a cookie? Is that bad??

Quote
Any HTML page can place a cookie on your system. In e-mails, this is done by placing a Iframe or img tag pointing to an outside server.


Umm, understood that. I just didn't think about it in relation to e-mails. Turning off HTML message receipt seems like a good plan!

Quote
Having your IP in the cookie does sound bad yes, however, compaining to PayPal will do little good. The third-party will likely be a advertising broker.

Have you got any more detail on the source of the said cookie?


All I can figure out is that the cookie is named 'Apache' [ seems pretty generic to me ] and is hiding behind http://www.paypal.com/images/bg_clk.gif, a pointer to a coloured block used as a heading separator.
N/A

IP address in a cookie? Is that bad??

That is pretty naughty. However, as it is part of the header, it would seem they are using it for tracking in site activity, to see how people move around the site. It may just be they use the same header in the e-mails.

Provided it is rejected (I would reject all third-party cookies full-stop)m you should be fine.

As for disabling HTML receipts. This will not effect what how these cookies work.

Paypal do this by contructing a HTML page, including full URLs to the images. Rather than send the images out (saves on e-mail bandwidth) with the message.

When you e-mail software views it, it downloads those images as if you where viewing it in a browser, however, the HTML part is just stored localy, rather than downloaded from a webserver.

The HTML receipts refer to a special tag that can go your e-mail. This asks the remote mail client (IE yours) to send a reply confirming it has been read. I have these set to prompt, as we use this in work for our remote workers (don't always catch them via IM clients).
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

IP address in a cookie? Is that bad??

These receipts are also unreliable as a method for telling if the message is read. I generally refuse to send them unless there is a good reason for it. I would also be wary of allowing remote image loading in emails as I understand it can be used by spammers to track which emails are read, and hence are active.
N/A

IP address in a cookie? Is that bad??

Quote
That is pretty naughty. However, as it is part of the header, it would seem they are using it for tracking in site activity, to see how people move around the site. It may just be they use the same header in the e-mails.


I guess I didn't explain myself right - the image isn't in the mail header, it is in fact a header line/block of colour in the mail body.

Quote
Provided it is rejected (I would reject all third-party cookies full-stop)m you should be fine.


Doing that from now on.

Quote
As for disabling HTML receipts. This will not effect what how these cookies work.

Paypal do this by contructing a HTML page, including full URLs to the images. Rather than send the images out (saves on e-mail bandwidth) with the message.


So if I didn't accept or look at HTML mail, there's no way of 'activating' that cookie, is that what you're saying? And therefore, is there a way in Outlook 2000 of always converting incoming e-mail to text format? I have looked but can't see that as an option for incoming mail, just for preferred outbound mail formats.

Thanks, everyone, for the advice ...

JR
N/A

IP address in a cookie? Is that bad??

No that I know of.

I switch to a program call The Bat! as it will display HTML e-mails fine, but only include images that are attatched to the message. No externaly hosted images are downloaded.

it does leave a lot of mail looking like junk, but for the most part, it is only the junk that does it.
glyndev
Grafter
Posts: 620
Registered: 31-07-2007

IP address in a cookie? Is that bad??

Another piece of software to try for cookie control is Cookie pal from Kookaburra Software at http://www.kburra.com/ .

Easy to set up and use with the facility to automatically accept or refuse specific cookies. Handy when you get some sites trying to set you something like 20 to 30 cookies with every page loaded.