With all of rhetoric about cookies, many people don't understand that these little text files were invented for a reason. In fact, cookies were created to solve internet's equivalent of Alzheimer's disease. You see, web sites do not remember who they are talking to!
The web was designed to be simple and straightforward. You (a browser such as Internet Explorer or Netscape) ask for something from a web server. The web server obediently hands it to you, then goes off to do something else. This is due to original purpose of web - a vast electronic library!
The web was never designed to support electronic commerce. It was designed to support reading text. Images, videos, sounds and commerce was all shoehorned into structure later.
Okay, so web servers are forgetful. What exactly does this mean? The browser asks web server for an object (a web page, image, graphic or whatever) and server obligingly returns it. The connection to browser is then closed and forgotten.
Thus, next time browsers makes a request of web server, poor server has no easy way to know that it is same as before. As far as server is concerned, every single request to do something is a unique request from a different computer.
This makes any kind of transaction control very difficult. Think about it for a minute and you'll understand. You enter your personal information into a screen, which sends you to a second screen to enter your name and address. If web server does not know that you are you, then how in heck does it relate credit card information to your name and address?
The answer is cookies. To put it very simply, a cookie is simply a way for web server to know that you are indeed you. In previous example, a cookie would allow server to know that name and address are related to credit card number.
How does this work? Well, server creates a small text file on your system called a cookie. This text file can only be referenced by that server, and it contains a simple unique number which identifies you.
Whenever server does something it tries to read this cookie to see if it knows who you are. Thus, when screen allowing you to enter your name and address is displayed, browser tries to read a cookie, effectively asking "do I know who you are?". It does same thing on credit card entry screen. Okay, this all seems harmless enough, doesn't it? So how is this very harmless and exceptionally useful system abused?