What are cookies
What do they do, how they work, and why does every website want you to accept them?
Over the last few years, internet users have grown accustomed to seeing notifications pop up on websites they visit, alerting them they use cookies and urging their acceptance. Those notifications may also invite you to read the website’s cookie policy — something users rarely do. The messages also tell you such cookies will enhance your experience, even if the message seems to spoil that experience rather than improve it.
But what are these life-enhancing cookies? What do they do? Why are they necessary? Do they enhance or degrade your privacy? Read on to find out.
What is a cookie
In short, a cookie is a plain text file with no executable code that stores data that identifies your computer as you use the internet. This file is a necessity when browsing the web, as it allows web developers to give users a more personalized experience by remembering who you are, what your website login information is, and what the contents of your shopping cart is.
Cookies use a unique ID for you and your computer. When cookies are exchanged between the browser and the website, the server reads the ID and knows what information to give to you. Cookies can be split into two types: HTTP cookies and magic cookies.
What is a magic cookie?
Before the modern web, Unix programmers used a magic cookie, a data token passed from a server to a browser to track and authenticate a user on the system. A magic cookie differs from a data packet, as it contains no readable data. Rather, it contains path information to reach a server.
This cookie is a bit like a coat check ticket given out by a coatroom attendant. It has no intrinsic meaning, but unique enough to be exchanged for the correct coat when returned to the attendant.
What is an HTTP cookie?
Fast forward to the modern age, and we have the HTTP cookie. An HTTP cookie is like a magic cookie but created for the internet.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Founding Netscape engineer Lou Montulli invented it in 1994, taking inspiration from the magic cookie. Montulli applied the concept of a magic cookie to internet communications.
Montulli’s original specification provides basic information about how cookies work, which was formalized in RFC 2109. This was a way to help websites remember the users visiting them.
In essence, an HTTP cookie is a small piece of data a web server sends to the user's browser. The browser may store this cookie and send it back to the same server with more requests. HTTP is a stateless protocol and doesn’t remember users. Cookies are stateful in that they remember important data.
The five types of HTTP cookies
There are five types of cookies used in web browsing.
- Session cookies: These cookies are created in a browser’s subfolder temporarily during a website visit. When a user leaves that site, the cookie is deleted.
- Persistent cookies: These cookies stay in a browser subfolder after a user leaves a website. They become active again when a user comes back to the same website. This cookie stays in that folder until the expiration date set within the cookie.
- Third-party cookies: This cookie is set by a domain other than the one appearing in the address bar of a user’s browser. These cookies track user browsing behaviors and help serve up ads that may interest the user.
- Secure cookies: A secure cookie can only be used over an encrypted connection, such as HTTPS. To secure a cookie, a secure flag is added to the cookie in its file. Browsers that support this functionality will only send secure flagged cookies when a request is for a web page encrypted using HTTPS.
- HTTP Only Cookie: This cookie can only be accessed by a web server and not by a script running in the client. This is added protection for session cookies.
What is inside a cookie?
As mentioned earlier, cookies store information about the browser to identify it to a web server. They have several attributes within them.
- Name: This specifies the cookie’s name.
- Value - This specifies the cookie’s value.
- Secure – This specifies whether the cookie should only be downloaded over a secure HTTPS connection.
- Domain – This specifies the domain of the cookie. To make the cookie available to sub-domains, the domain would be set to, for example, abc.com. Setting it to www.abc.com would make it available only in the www subdomain.
- Path – this specifies the server path of the cookie, i.e. the URL path the cookie is valid in. If set to “/” it can be available to the entire domain. If set to “/abc/”, it can only be used in the “abc” directory and all its sub-directories.
- HTTPOnly - If set to TRUE, the cookie can only be accessed through the HTTP protocol. This is used to prevent cross-site scripting attacks and decrease identity theft.
Are cookies safe?
In themselves, cookies are harmless because they can’t store executable code. Most cookies are safe to use, but some have malicious intent. These cookies can track what you do over time, building up a picture of you as an internet user.
Other applications, such as spyware, can harvest any personal information stored in them, such as location, passwords, auto-completion details, etc. Unauthorized access to cookies is known as cookie hijacking. Should a hacker gain access to session or permanent cookies, they could get unauthorized access to websites someone has previously logged in to, then access the account without login details.
This can lead to problems, such as credit card information theft, unauthorized access to personal email or other accounts, etc.
But there is another type of problem cookie: a zombie cookie. While this won’t try to eat your flesh, it is hard to get rid of. These third-party cookies can be permanently installed on a user’s computer, even if they opted out of receiving cookies. Even when deleted, they can be reinstalled.
Zombie cookies took advantage of flaws in Adobe Flash Player. Tracking cookies could be created and stored in the Adobe Flash directory rather than a browser folder. This cookie then makes sure any cookie in the browser folder that a user deletes is recreated, coming “back from the dead.”
Zombie cookies can track your activity across different browsers.
Yet another good reason to get Flash off a computer.
While disabling cookies is a non-starter because so many websites use them, disabling third-party cookies can bolster security. Users should also avoid accepting cookies from unencrypted websites, as there is no security to protect your data, meaning it could be stolen and used in identity theft.
Browser caches should also be cleared regularly. Users should be wary of visiting unknown websites and handing over personal information, as their cookie security may not be as good as one would hope.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.