Cookie is a file (at most 4KB) or a string. It is criticised because it can arguably violate privacy — not compromise the security of the user (We have to be technical here).
Cookie is just data. Not an executable program, hence it can't compromise security.
Option A is incorrect (Answer)
Cookies are passed via HTTP headers, in both the cases (when client contacts server, and when server contacts the client)
Option B is correct.
Cookies may contain up to 5 fields that have information about
- Domain
- Path
- Content
- Expiry
- If the browser would return the cookie to only a secure server.
Option C is correct.
The primary functionality of cookies is to track the user's browsing pattern, so as to customize their viewing experience. Option D is correct.
Additional information
The data of the cookies is only meant for the server. It is never revealed to the browser/user.
Cookie is something that the server creates, and only the server eats. (Line taken from Forouzan)
Tannenbaum, page 481.