The number in cookie filenames... anyone?

Here you go http//www.faqs.org/rfcs/rfc2965.html has a very good article on cookies and should answer your question.

Here you go http//www.faqs.org/rfcs/rfc2965.html has a very good article on cookies and should answer your question.

Thanks for the response, but I have read several documents like this (and now this one) and they haven't answered the basic question, which is, "Is the number in square brackets a Windows or Internet Explorer naming idea when filenames are duplicated, or is it something more in-depth?"

It seems most people have never needed to ask the question, so they don't know (or need to know) the answer.

I had to look into the numbering of cookies recently. Could not find an authorative answer anywhere! I'm guessing that the number within the square brackets could be related to whether it is the first, second, etc appearance/updating of the cookie within a browsing session. Wasn't able to successfully test my theory so it could be wrong!

I think Jonathan might be right. My understanding has always been that the bracketed number is a unique identifier created by IE which is incremented as necessary when a cookie is updated. Might the lack of cookies with lower numbers be due to expiration of earlier instances or those instances being removed when a maximum number is reached? Pure speculation on my part, though, not exactly what you're looking for!

the number within the square brackets could be related to whether it is the first, second, etc appearance/updating of the cookie within a browsing session.

The above is my experience of numbered cookies but with some additional points I have noted.

1) The number in [ ] does not always occur in the same browsing session but by return visits to an e.g. website

2) The number may only increment in [ ] if cookies folder already has a cookie in it from a previous visit to the same website

3) Incrementing cookie numbers does not happen with every site so it really requires some experimentation

4) Do bear in mind the IE settings in "Internet Option", "Privacy" where depending on settings for Internet Zone may restrict the length of time a cookie is valid, which can impact on some cookies causing a new cookie to be generated and therefore increment numbers in [ ] for same website

I appreciate the responses. They seem to make sense. I guess I read too much into what that number could mean. I've seen the same square bracket numbering with files in internet cache. Thanks for the help.

Just wondering if there was any updates on this since this original posting. I feel like I've searched the depths of the Internet for information regarding these brackets and do not understand how this question does not come up more often since it closely deals with Internet activities.

After doing some testing, I have found no indication that it has anything to do with sequential cookies, meaning the first time you view a page you get [1], second time [2]. Mainly because I will go to a page for the first time and have [2] in the cookie.

In addition, after my testing of various different pages I yet to have come across anything in the brackets other than a [1] or [2]. Never seen [3].

I would really like some clarification on this. Thanks

Remember that a cookie can be left on client by a website embedded in an <IFRAME>. For example, just opening the browser with the home page set to Google or Wikipedia and you'll get something like the following

administrator@atdmt[2].txt
administrator@bing[2].txt
administrator@google[1].txt
administrator@live[1].txt
administrator@msn[1].txt
administrator@windowsmarketplace[2].txt
administrator@zune[2].txt

None of which I visited. Note that atdmt and bing have the index of 2 not one, even though the cookie folder was empty. This may be because more than one cookie was saved to the system and then the first deleted.

Going to Forensic Focus, I get three more cookies, only one of which is www.forensicfocus.txt. If I open two separate instances of the browser and to Google, they share the same cookie file and cookie (verified by typing

javascriptalert("Cookie is " + document.cookie)

into the URL box.

The RFC states that the minimum number of cookies that a client can accept from a unique host or domain name is 20 (Microsoft increased IE to 50). The cookie creation (e.g., setcookie) routine has an expire or max-age parameter. If this is not defined, the cookie is a session cookie and is persists in memory only as long as the browser is open. If a setcookie function is called with the name of an existing cookie and max-age is set to zero or expire to a time past the user agent is supposed to delete the cookie, immediately.

In IE, if the setcookie routine is called with max-age set to other than zero and the cookie name already exists, an increment is added. I believe that newer versions of IE begin with [1] where as older versions had no index for the first file.

Why don't you see a [3] or higher?

I have seen [3], in fact, I have a [2] and [3] cookie in my cookies folder right now.

One theory would be that the cookies are overwritten such that most sites don't need to keep more than 3 cookies around (I suppose that you could test this by setting up your own server and generating loads of cookies).

Why are the numbers not sequential with respect to MAC times?

I suspect that IE expires cookies in the same order as created, i.e. (excuse the PUN), if you have user@yahoo[1].txt, user@yahoo[2].txt and user@yahoo[3].txt and you send the setcookie routine with the cookie name of "yahoo" and max-age to zero, the first cookie to be deleted will be user@yahoo[1].txt, the second will be user@yahoo[2].txt and so on.

If you now revisit the site, the cookies with the lower increments will have newer MAC times than the cookies with the higher increments.

Of course, site policy can also have something to do with this and this may vary between sites.

More experimentation is needed.

Here is an abbreviated update to the last post, using PROCMON to monitor the cookie activity. Starting with an empty Cookies folder (using IE 7 privacy tools), I started up PROCMON. Then Internet Explorer navigating to www.weather.com.

1. IE tries to QueryOpen weather[1].txt NAME NOT FOUND.
2. IE does a CloseFile for weather[1].txt SUCCESS
3. IE does a SetAllInformationFile for weather[1].txt SUCCESS Allocation 0
4. IE does a CloseFile for weather[1].txt SUCCESS
5. IE does a QueryOpen for weather[1].txt SUCCESS MAC times set
6. IE does two WriteFiles to index.dat. of 4,096 and 8,192 bytes
7. IE does a QueryOpen of the Cookies directory SUCCESS
8. IE does a QueryOpen of weather[1].txt SUCCESS
9 IE does a QueryOpen of weather[2].txt NAME NOT FOUND
10. IE does CloseFile of waether[2].txt SUCCESS
11. IE does a SetAllInformationFile for weather[2].txt SUCCESS Allocation 0
12. IE does a CloseFile for weather[2].txt SUCCESS
13. IE does a QueryOpen of weather[2].txt SUCCESS MAC TIMES SET
14 IE does a QueryOpen of weather[1].txt SUCCESS
15 IE does a QueryAttributeTagFile on weather[1].txt SUCCESS Attributes ANSI,ReparseTag 0.0
16 IE does a SetDispositionInformationFile on weather[1].txt SUCCESS Deleted True
17 IE does a CloseFile on weather[1].txt SUCCESS
18 IE does two WriteFiles on index.data SUCCESS of 4096 and 8192 bytes
19 IE then repeats the process this time creating weather[1].txt and deleting weather[2].txt.
20 IE, then, creates a third party cookie
21 IE, then, creates weather[2].txt and deletes weather[1].txt

The creation of third party cookies does not always result in updates to the hosting site's cookies. This, in part, determines whether the current cookie will be [1] or [2].