1. What is cookie authentication?

Cookie authentication enables us to ensure that users accessing our paid services are authorized to do so. It allows us to securely authenticate our users while preserving their privacy at the same time.

2. Why are we using cookie authentication?

Two major reasons: speed and scalability. We currently use a database to keep track of active user connections (but obviously not to keep track of users themselves). This requires quite a bit of overhead and frequently leads to other, more subtle problems in the rare event that the database is busy or can not be reached. Using a cookie allows us to authenticate users without this overhead and therefore to load user pages more quickly.

As our user base increases, so do the demands placed on our authentication servers. Using a cookie allows us to scale much more quickly and effectively with the growing requirements of our users.

3. What is stored in the cookie?

The cookie contains your encrypted username, a timestamp, and an authorization string. The encrypted username is used for our URL Encryption; it ensures that each URL is encrypted uniquely to each user. The timestamp tells us when your session will expire. The authorization string ensures us that you are, in fact, a legitimate user. The cookie will have form identical to this actual example:

  Anonymizer_Auth_Expires = 9fc7c85950dd9570f93b918546c7e1ab:943235014:ba66c29ea3182b44f9aefe9baf4bdfdbec0ea2d9 

The first part (before the first colon), 9fc7c85950dd9570f93b918546c7e1ab in this example, is the hexadecimal (base-16) representation of your encrypted username. It is used to ensure that each URL visited using URL Encryption is encrypted uniquely to every user; it ensures that no one else can decrypt them but you. The second item (between colons), 943235014 in this example, represents the time (in UNIX terms) when your authentication expires. The third part (after the second colon), ba66c29ea3182b44f9aefe9baf4bdfdbec0ea2d9 in this example, is a secure, one-way cryptographic hash of the expiration information. You can think of it as our digital "signature" on your cookie.

4. Does this cookie get stored on my hard drive?

Absolutely not. The cookie we are sending is what is known as a "session cookie". This type of cookie is held only until your current browsing session is over; when you quit the browser, it disappears. At no time is it ever permanently recorded on your computer.

5. How can I use cookie authentication?

Just enable cookies in your browser and login as normal. The Anonymizer will use cookie authentication if possible. It will proceed with traditional authentication if it cannot.

Cookies can be enabled in Netscape via Edit->Preferences->Advanced->Cookies. In Internet Explorer: Tools->Internet Options->Security->Custom Level->Cookies and under Allow per-session cookies check either Prompt or Enable. If you are an AOL user go to the Start menu and select Settings->Control Panel->Internet Options and select either Prompt or Enable under Allow per-session cookies.

We highly recommend that curious users inspect our cookie before accepting it to verify all that we have said. The Prompt option under most browsers will show you the cookie before you accept it.

6. Does this mean other sites can give me cookies?

No. The Anonymizer destroys any other cookies that it sees. Likewise the Anonymizer does not pass our cookie along to sites you visit. It is part of the cookie specification that it can only be seen by us.

7. Where can I learn more about cookies?

We recommend http://www.cookiecentral.com.


Send us feedback