An HTTP cookie stores information in a user’s web browser. Web servers generate cookies and send them to browsers, which include them in future HTTP requests.
What are cookies on websites?
Cookies are small files of information that a web server generates and sends to a web browser. Web browsers store the cookies they receive for a predetermined period or the length of a user’s session on a website. They attach the relevant cookies to any future requests the user makes to the web server.
Cookies help inform websites about the user, enabling the websites to personalize the user experience. For example, [e-commerce websites] use cookies to know what merchandise users have placed in their shopping carts. In addition, some cookies are necessary for security purposes, such as authentication cookies (see below).
The cookies used on the Internet are also called “HTTP cookies.” Like much of the web, cookies are sent using the HTTP protocol.
Where are cookies stored?
Web browsers store cookies in a designated file on users’ devices. For instance, the Google Chrome web browser stores all cookies in a file labeled “Cookies.” Chrome users can view the cookies the browser stores by opening developer tools, clicking the “Application” tab, and clicking “Cookies” in the left-side menu.
What are cookies used for?
User sessions: Cookies help associate website activity with a specific user. A session cookie contains a unique string (a combination of letters and numbers) that matches a user session with relevant data and content for that user.
Suppose Alice has an account on a shopping website. She logs into her account from the website’s homepage. When she logs in, the website’s server generates a session cookie and sends the cookie to Alice’s browser. This cookie tells the website to load Alice’s account content so the homepage reads, “Welcome, Alice.”
Alice then clicks on a product page displaying a pair of jeans. When Alice’s web browser sends an HTTP request to the website for the jeans product page, it includes Alice’s session cookie with the request. Because the website has this cookie, it recognizes the user as Alice, and she does not have to log in again when the new page loads.
Personalization: Cookies help a website “remember” user actions or preferences, enabling the website to customize the user’s experience.
If Alice logs out of the shopping website, her username can be stored in a cookie and sent to her web browser. The next time she loads that website, the web browser sends this cookie to the web server, prompting Alice to log in with the username she used last time.
Tracking: Some cookies record what websites users visit. This information is sent to the server that originated the cookie the next time the browser has to load content from that server. With third-party tracking cookies, this process occurs anytime the browser loads a website that uses that tracking service.
If Alice has previously visited a website that sent her browser a tracking cookie, this cookie may record that Alice is now viewing a product page for jeans. The next time Alice loads a website that uses this tracking service, she may see ads for jeans.
However, advertising is not the only use for tracking cookies. Many analytics services also use tracking cookies to record user activity anonymously.
What are the different types of cookies?
Some of the most essential types of cookies to know include:
Session cookies
A session cookie helps a website track a user’s session. Session cookies are deleted after a user’s session ends — once they log out of their account on a website or exit the website. Session cookies have no expiration date, which signifies to the browser that they should be deleted once the session ends.
Persistent cookies
Unlike session cookies, persistent cookies remain in a user’s browser for a predetermined time, a day, a week, several months, or even years. Persistent cookies always contain an expiration date.
Authentication cookies
Authentication cookies help manage user sessions; they are generated when a user logs into an account via their browser. They ensure sensitive information is delivered to the correct user sessions by associating user account information with a cookie identifier string.
Tracking cookies
Tracking cookies are generated by tracking services. They record user activity, and browsers send this record to the associated tracking service the next time they load a website that uses that tracking service.
Zombie cookies
Like the “zombies” of popular fiction, zombie cookies regenerate after they are deleted. Zombie cookies create backup versions of themselves outside of a browser’s typical cookie storage location. They use these backups to reappear within a browser after they are deleted. Unscrupulous ad networks and cyber attackers sometimes use Zombie cookies.
What is a third-party cookie?
A third-party cookie is a cookie that belongs to a domain other than the one displayed in the browser. Third-party cookies are most often used for tracking purposes. They contrast with first-party cookies, which are associated with the same domain that appears in the user’s browser.
When Alice shops at jeans.example.com, the jeans.example.com origin server uses a session cookie to remember that she has logged into her account. This is an example of a first-party cookie. However, Alice may not be aware that a cookie from example.ad-network.com is also stored in her browser and is tracking her activity on jeans.example.com, even though she is not currently accessing example.ad-network.com. This is an example of a third-party cookie.
How do cookies affect user privacy?
As described above, cookies can be used to record browsing activity, including for advertising purposes. However, many users do not want their online behavior to be tracked. Users also lack visibility or control over what tracking services do with the data they collect.
Even when cookie-based tracking is not tied to a specific user’s name or device, with some types of tracking, it could still be possible to link a record of a user’s browsing activity with their real identity. This information could be used in many ways, from unwanted advertising to the monitoring, stalking, or harassment of users. (This is not the case with all cookie usage.)
Some privacy laws, like the EU’s ePrivacy Directive, address and govern the use of cookies. Under this directive, users must provide “informed consent” — they must be notified of how the website uses cookies and agree to this usage — before they can use cookies. (The exception to this is cookies that are “strictly necessary” for the website to function.) The EU’s General Data Protection Regulation (GDPR) considers cookie identifiers personal data, so its rules apply to cookie usage in the EU. Also, any personal data collected by cookies falls under the GDPR’s jurisdiction.
Because of these laws, many websites now display cookie banners that allow users to review and control the cookies those websites use.