You have probably heard the term “cookies” many times. You can see it in your web browser if you select the “clear your cache and cookies” option, and on various websites, where you have to give your consent i.e. you agree that your web browser will accept cookies from a given website. What exactly are cookies, though? We will answer that question and we will look at some system attributes of the cookies as well as at the future of cookies in the online world.
- So, what are cookies?
- Short history of cookies
- Types of cookies
- By category
- By party
- By duration
- Cookie attributes
- Privacy and security concerns
- How to keep cookies away
- The future of cookies
- In conclusion
So, what are cookies?
These are small files added to your device by a given website you visit, which are later monitored by that same website. They contain certain information, which allows the site to display selected settings or some user-specific content. Cookies make it possible to stay logged in when you navigate to another page, or to keep your items in the shopping cart even if you do not complete your order for a few days. You will come across different terms – the original one was “magical” cookies, but today, these files are called web cookies, Internet cookies, HTTP cookies, browser cookies, etc. As you will see in some examples below, cookies can be used for quite a lot of purposes.
Short history of cookies
By design, HTTP as a language is stateless. In other words, if you log in or take some action, once you navigate to the next page, the site will not remember your previous action. As the World Wide Web started growing in the early 1990s, this statelessness became a problem. To solve that, in 1994 Lou Montulli, an engineer in Netscape Communications, created small files that he called cookies, after the previously used computer term “magic cookies” - tokens used to exchange information.
At first, cookies contained information that would allow the Netscape website to recognize if a visitor was returning to the site. Soon, they were used to store items in virtual shopping carts. In 1995 Montulli patented the technology behind web cookies and later that year support for cookies was added to Internet Explorer 2. Curiously, people did not even know about cookies until a Financial Times article in 1996 expressed concerns about whether the technology posed a security threat. Back then, cookies were still not being used for advertising purposes.
By the 2000s, cookies were actively used for tracking and personalized advertisements. This misuse led to cookie legislation being adopted around the world, the EU ePrivacy Directive (a.k.a. the “EU cookie law”) being the most popular one. Cookie blocking extensions and even built-in browser functions to prevent tracking were developed. Today, the default setting of some web browsers is to block third-party cookies, while other browsers delete all cookies automatically when the browser window is closed.
Types of cookies
Cookies vary quite a lot by their type and purpose. They contain different information and they are added by different providers. Below, you can find some information about the different types of cookies you will encounter while you browse the Internet, although the list may not be exhaustive:
Cookies can be separated based on what they are used for.
- Strictly necessary. These cookies are essential for a given website to provide certain features. A couple of examples are cookies that allow you to log in to your account or to add items to a shopping cart. Due to the nature of these cookies, no user consent is required to use them, even by privacy-oriented legislation such as the EU’s GDPR.
- Functional. The functional cookies are required for certain optional features, which users enable. If you change some settings in your account, for example, the website will add such a functional cookie. This type of cookie is not vital for the proper operation of the website. Functional cookies are generally safe to accept as they do not collect any personal information.
- Performance. These cookies are also known as statistics cookies as they are used to measure the performance of a given website and the behavior of its visitors. You can track page visits, a number of errors, most popular pages, average visit time, etc. Performance cookies gather data anonymously and in the general case, the collected information is not shared with other parties.
- Targeting. This type of cookie tracks user activity and is used to build a user profile. The gathered information is used to offer targeted ads and personalized offers to customers. Due to the nature of targeting cookies, they are almost always third-party ones.
Cookies can be divided into two groups based on the website/domain that adds them.
- First-party. These cookies are created by the website that the visitor browses. They keep sessions open and provide various features on the site. First-party cookies are used to track user interaction with the site – what pages they visit, what settings they update, etc.
- Third-party. These are usually the targeting cookies we mentioned above. They are stored under a different domain than the one you are browsing and they are set by a third-party server. These cookies allow the remote server to track users between different websites. Here you can find some useful cookies, such as ones that allow third-party chat services to be added to a website and some that are rather intrusive as they allow ad platforms to display very personalized ads based on the user’s browsing history.
- Session. These are temporary cookies that are used by a particular website only while you browse it and are deleted once you navigate away from it. These cookies are stored in a temporary memory location, not on your device. They make it possible for the website to remember essential information such as what pages users browse. One example when session cookies are used is a shopping cart that stores added products even if the user has not logged in.
As session cookies are strictly necessary for user experience, setting them does not require consent, but there should be information about them and their usage on the website.
- Persistent. As the name suggests, these are permanent cookies. They have an expiration date that is set by the server when the cookies are saved. They remain on the user’s disk drive until they expire or are deleted by the user, even if the web browser is closed. Persistent cookies are used to keep user preferences such as theme/language selection, favorites, etc., or to track the way they navigate on a given website. A popular persistent cookie is the one set by Google Analytics.
These are flags that are set individually for each cookie. They are used to control the level of security of each cookie and to define how cookies will be handled by the web browser and by user/third-party scripts.
- HttpOnly. This is a cookie flag that prevents the cookie from being accessed by the client-side scripts or by third-party servers. If the flag is added to a cookie, it tells web browsers not to reveal the content of the cookie to any party, even if the user takes a wrong step by accident and becomes the victim of a cross-site scripting (XSS) attack. If any script tries to read the cookie, the browser will respond with an empty string.
- Secure. This flag means that the cookie will be sent to the server only over a secure connection. In other words, an unauthorized third party will not be able to intercept and/or read the cookie content as it will be encrypted. Websites that do not have an SSL certificate and work with HTTP:// cannot use the “secure” attribute for the cookies they set.
- SameSite. This attribute tells web browsers how they should handle first-party and third-party cookie requests. In simple terms, the flag shows if a cookie should be sent depending on where the request comes from. The flag can have three values:
- None. The cookie data can be shared with any third-party website for any purpose, including advertising or displaying personalized embedded content.
- Lax. The cookie data can be accessed by the main website in all cases, including if the user comes from an external link.
- Strict. The cookie data can be accessed only if the request comes from the main domain. The cookie will not be sent if you open the domain name from an external link. This isn’t a common value as it can affect some website functions. Due to its security, however, it is often preferred by websites that handle sensitive information, such as banks.
Here is an example. A company owns two websites and you are logged in on both of them. If you click on a link on the first site to go to the second one, you will be logged in on the latter if the cookie that contains its login data is with the “Lax” value. If the cookie has a “Strict” value, you will be coming from an external link, so access to the cookie will be restricted and you won’t be logged in automatically.
Privacy and security concerns
In terms of security, cookies can be exploited in different ways. They may allow an attacker to trick a web browser into “thinking” it is loading a legitimate website, while it is actually loading a fake one. This method can be used to steal data, including any information you submit on any website. You may come across websites that transmit cookies over an insecure channel, making them easy to intercept. Some websites that do not have protection against cross-site request forgery (CSRF) may allow unauthorized requests to be requested. Of course, websites are designed to protect cookies and to reject unauthorized actions, but this may not always be the case.
How to keep cookies away
Whenever you browse online content, websites and applications store cookies on your device. As you will rarely need them in the long run, you should clean them every now and then, especially if there are third-party cookies added by websites you rarely use. There are different ways you can do that. Web browsers allow you to clear the cookies they have stored by pressing Ctrl + Shift + Del on your keyboard. Alternatively, you can simply increase the protection level of your favorite web browser or use one that blocks cookies by default like Brave or Tor. Your anti-virus software may also have an option to reject browser cookies. This way, you will not have to worry if you will clear unwanted third-party cookies as they will not be added to your device in the first place.
The future of cookies
First-party cookies are essential for improving the site user experience and for traffic/behavior analytics, so they will continue to be actively used.
There are different types of cookies – some of them are necessary, others are optional; some cookies are needed only for a particular session, and others are saved permanently. The ones that privacy watchdogs consider to be a threat are third-party cookies that allow advertising platforms and other parties to profile website visitors and gather personal and behavior information that goes way beyond collecting anonymous traffic data. These concerns have resulted in much-needed changes – web browsers these days give you more control over the information cookies collect, and as it seems – third-party cookies will soon be phased out.