Demystifying cookies. What they can and can not do.

Tracking cookies are receiving tremendous attention these days, and we are constantly seeing those “This website uses cookies” messages and alerts all over the Internet. That is happening mostly due to the new laws and policies, as well as privacy and security concerns. However, cookies are not inherently harmful and they can actually significantly improve user experience on today’s web. So let’s stop feeling paranoid and see what they are and what they can and can not do.

What they are

Cookies are little pieces of information that websites can store on your browser/machine in order to be able to access and retrieve it on subsequent site visits.

This information is stored as plain text in a name-value pair format. Cookies are tied to a specific website domain and they can have an expiry date, they can also require a secure connection for being transferred.

Tracking user activity using cookies

Some of the cookies can be stored by the browser as you navigate between different pages and/or websites, in between the sessions, and even after the browser is closed. Every time you visit the website you have a cookie from, your browser sends this piece of information back to the website and this message exchange allows the website to “remember” you and modify its content and behavior based on the cookie value.

3rd party cookies and security

Cookies can also be set by 3rd party websites that contain a resource (e.g. iframe, embed widget, ad, etc.) loaded from the original cookie issuer. These cookies will be set under the original cookie issuer domain and will be accessible to the website that issued this cookie (the original “owner” of the resource) via the same retrieval process. These 3rd party cookies may lead to some privacy and security issues.

What Goes Into a Cookie

It can be literally any piece of information website needs to “remember” about you and be aware of on your next visit and/or pageview. Common use cases are:

  • Your visitor, user or session ID, so that the website knows who you are, if you’re logged in or not etc.
  • Items in your shopping cart
  • Your interests
  • User preferences
  • Browsing/search/interaction activity on the website
  • Preferred language
  • Opt-ins, opt-outs, consent
  • Specific user group or segment you belong to

Typical use cases

  • Identifying and “remembering” the user, his/her role, status, setting, preferences, and choices
  • Gathering data, user activity tracking and analytics, building user profiles
  • Providing personalized experiences and targeted messaging based on the above

What cookies can and can not do?

  • Cookies can’t run like programs
  • They can’t “do things” on your browser on their own
  • Can’t access or modify information stored on your hard drive
  • They can’t/don’t carry viruses
  • Cookies can’t install malware or hack your machine
  • Can’t run anything on your machine or get access to software/hardware/data on it

How long do they stay on your machine?

Session Cookies. These temporary cookies are mostly used for logins/authentication and short-term storage purposes. They get deleted as soon as the user ends the session and closes the web browser. When this user logs back in, a new user session is started and a new cookie is issued for this new session.

Persistent cookies. These are long-term cookies, they have an expiration date. The expiration date can be anywhere between a few minutes to a few years from the date when the cookie was set. Unlike session cookies, these are stored even after the browser is closed. If needed, these cookies can be removed manually before the expiry date.

Which websites can set cookies?

Almost any website can set browser cookies unless you have a specific restriction or a browser extension that blocks cookies from certain domains. After the cookie is set, only the website with the domain that matches the cookie domain can retrieve it. However, as I already mentioned earlier, there are 2 different ways to set a cookie under a certain domain:

First-party cookies. These cookies are set and used by the website that you’re visiting directly and they are set under the same domain as the website you’re browsing. For example, when you’re browsing the Wikipedia website, they set cookies to remember your language selection and location. Most first-party cookies are used for user authentication, storing user preferences, location, etc.

Third-party cookies. These are created by websites other than the website you are directly interacting with. And they are set under domains that are different from the website you directly interacting with.

As mentioned earlier, each website can set and read cookies only for each own domain. So in order to be able to set cookies for 3rd parties, websites have to use special tracking code snippets provided by those 3rd party tools. These tracking scripts are loaded into a website from 3rd party domains. This way they can set cookies readable by those domains. Most such third-party cookies are used for cross-site tracking (tracking and sharing information as user navigates between different websites and domains), retargeting and online advertising purposes.

Cookies and security concerns

Even though cookies are safe and harmless, and they generally make your web experience much better and more personalized. There are 2 major security concerns associated with cookies:

Privacy concerns. Amounts of information collected by various platforms and marketing and data analysis firms can be enormous, and it is almost impossible to know who this data is going to be shared with. They can develop such detailed profiles that sometimes you may feel like “they” watch your every move, and those targeted ads and personalized feeds get pretty creepy and potentially violate privacy rights. This growing awareness of privacy issues associated with abusive and cross-site tracking one of the main reasons triggers for these new data privacy laws and regulations.

Cookie exploits. Most common cookie fraud exploits are either aimed at falsifying user identity (e.g. by manipulating session cookies) in order to perform an attack or at using legitimate user account as a proxy by attaching malicious cookies to the legitimate user browser and getting them sent along with any legitimate cookies that user already has.

On top of this, some poorly built websites and tracking systems can store unencrypted/unprotected and personally identifiable information in the cookies, which means it is going to violate privacy restrictions and can be easily stolen.

Cookies and security – when and why should you delete them?

If you have any privacy or security concerns about the cookies that are already stored on your machine, or if you’re experiencing some kind of weird website glitch and/or behavior, clearing website cache and cookies might be a good idea.

Fortunately, it’s pretty easy to do. All modern browsers make it easy for users to view and clear the cookies. However, the steps are different from one browser (and sometimes even browser version) to another. The easiest way to find an up to date information on your specific browser and version is by googling and/or searching browser documentation/wiki pages.

You can also avoid tracking and security risks associated with cookies

Alternatively, you can use private or incognito browser mode (provided by all major browsers as well). It will start a fresh browser with no pre-set cookies and deletes all new ones once you close it. You can also proactively configure your browser with desired cookie control settings.

Useful links:

Cookies and GDPR

Other “Demystifying tech” articles

Leave a Reply

Your email address will not be published. Required fields are marked *