The Ultimate Guide to Cookies

Cookies, or, to give them their formal name, HTTP cookies, are text files made up of tiny bits of data, which are stored on a web browser. These tiny bits of data are used by websites to track a user’s journey, enabling them to offer features that are specific to each individual user. Because of this, cookies are at the heart of a website’s functionality. For example, they can be used for shopping carts on e-commerce sites.

On the one hand, cookies are integral to the way the internet works, but they’re also a cause for concern when it comes to security and privacy risks. However, by understanding how cookies work, both day-to-day users and developers can protect themselves from the negative aspects of these tiny bits of data.

With this in mind, this guide provides an in-depth overview to cookies. It has been broken down into two usable parts:

  • Understanding Cookies — A Layman’s Guide: all of the basics you need to know as an everyday internet user.
  • Understanding Cookies — A Developer’s Guide: a more in-depth look at how cookies work, with advice on how to use cookies while adhering to the laws in place. It then concludes with some technical resources for those who want to go even further into the world of cookies.

Understanding Cookies — A Layman’s Guide

Having a basic understanding of HTTP cookies is essential for every internet user, regardless of whether you’re just using it for personal use or you’re a web developer who’s making a living from it. These basics include what purpose cookies serve, and what security and privacy risks they pose. However, to give you a better overview, we thought it was worth delving into the history of cookies and where they came from, so here goes!

The History of Cookies

In 1994, Lou Montulli developed cookies for the first time. As a Netscape Communications employee, Montulli worked alongside John Giannandrea to develop cookies into a unique solution that would help make shopping carts for e-commerce stores possible. This means the first primary usage of cookies on the internet was to establish whether a visitor coming to Netscape’s website had already visited it or not.

At the start, all supported browsers accepted cookies by default, which meant hardly any end users were aware of their use or presence. However, in February 1996, this changed, when their use, purpose, and existence were revealed in a piece published by The Financial Times. Over the next few years, the media placed cookies under intense scrutiny due to the privacy risks created as they tracked visitors across a website.

This resulted in the internet Engineering Task Force (IETF) being tasked with establishing a formal cookie specification. Agreeing with the media’s concerns, particularly with the risks involved in third-party cookies (AKA: tracking cookies), the IETF tried to make it a requirement that all third-party cookies were disallowed, or, they were only allowed once a user had explicitly opted into them.

However, the industry-leading browser developers (eg, Microsoft and Netscape) didn’t follow these recommendations and continued to allow tracking cookies from third-parties, such as online advertisers.

Today, even though the IETF’s cookie specification acknowledges the use of tracking cookies and the risks they poses, it places much of the responsibility of managing this risk onto browser developers, “This document grants user agents [browsers] wide latitude to experiment with third-party cookie policies that balance the privacy and compatibility needs of their users.”

However, there are other legalities that have come into play with regards to cookies. We’ll take a look at these later on in the guide.

What Is a Cookie Made Up Of?

For each specific user, there will be bits of data that are associated with them by cookies. For example, when you go to a website, you may be identified as “User X” by a cookie that’s been delivered by the site. Therefore, if you leave the site but return to it later, the cookie you’ve been given will be used by the site to identify you as “User X” who’s been on the website before.

At a minimum, cookies contain two bits of data: an identifier for a unique user and some information about this user. However, they can also contain a whole host of attributes that inform browsers what they should do with the cookie — something we’ll touch on in the developer-targeted part of this guide.

A common working example of this is what’s known as an authentication cookie. For example, when you log into a site, a cookie may be returned that identifies your account, confirming you’ve successfully logged in. Then, when you interact with this website in the future, this cookie will act as confirmation that you’re a user who’s logged into the site.

Different Types of Cookies

There are a number of different ways cookies can be grouped together, and below we’ll look at the four most common. This should hopefully add to your understanding of how they are used as well as how they work.

Session Cookies

These cookies are temporary and will only be stored in the memory of your browser while it’s open. When it’s closed, the cookie will be removed from your browser’s history, and, because of this, they are a lower security risk. You’ll often find these cookies working within e-commerce shopping carts, controlling what a user sees on a page when they’re conducting a one-off, multi-page site visit, or for other storage means that are short-term.

Persistent Cookies

These cookies are used over a much longer period of time, as an expiration date is tagged to them by the issuer. This means, even when your browser is closed, the cookie will be stored on it. And each time you return to the website that created this cookie, or you go to a website that has a resource produced by the cookie’s issuer (eg, an ad), this data is returned to the issuer.

Persistent cookies, can, therefore, track your browsing activity not just on the original site where the cookie was created but on other sites that have a resource which has been produced by the original site. For example, Facebook and Google use these kinds of mechanisms to create a user activity log across a range of different websites. So, when you click “Remember Me” (or something similar) after you’ve logged into your online account somewhere, you’ll be creating a persistent cookie, which will store your login details on your browser.

As these persistent cookies are present for a longer period than session cookies, and can essentially track what you’re doing over more than one site, a greater security risk is posed by them.

First-Party Cookies

Created by a site you’re visiting, first-party cookies help a website carry out a number of purposes, such as allowing you to add more than one item to your online order. If you disabled first-party cookies, every time you added an item to your shopping cart it would be treated as a new order as you’d be unable to purchase more than one item in one transaction.

Third-Party Cookies

Created by a site you’re not currently visiting, third-party cookies are most commonly used to track a user who’s clicked on an ad, associating them with the domain that’s referred them. For example, if you’re on a website and you click on an advertisement, a third-party cookie is generated to associate your traffic with the website where the advertisement was shown.

Even though cookies do play a very important role in our browsing activities, there are a number of threats posed by these, especially when it comes to the invasion of privacy and the security of websites that are using them.

The Risks of Cookies and What You Need to Watch out For

When you’re using the web, you’ll want to know what risks are presented to you by cookies, how you can view them, and how to delete them, if necessary. To start with, we’ll look at the risks involved with cookies, which can be placed into two categories — fraud and the invasion of one’s privacy.

Cookie Fraud

Although quite complex, it’s worth familiarizing yourself with cookie fraud in case you come across a site that’s exploiting users through this method.

In a lot of cases, cookie fraud will either be a malicious website attacking another website by using legitimate uses as a proxy, or a legitimate user’s activity being tagged with a false session ID for game tracking systems.

Here are four common types of cookie fraud and what they involve:

Cross-Site Scripting (XSS)

Here, a user will receive a cookie after they’ve visited a malicious website. This cookie contains a script payload that targets another website, but the malicious cookie is in disguise and looks as though it’s come from the website that’s being targeted. Therefore, when a user visits the targeted site, this fraudulent cookie (and its script payload) is sent to the targeted site’s server.

This type of vulnerability may be used by attackers to get past certain access controls like the same-origin policy.

Session Fixation

When this occurs, a user will be given a malicious cookie that contains the session ID of the cookie’s issuer. Then, when the innocent user goes to log into a domain that’s being targeted, the user’s session ID isn’t logged but the cookie issuer’s is. This makes it look as though the issuer is performing certain actions on the targeted domain but it’s the user that’s actually performing them.

This type of cookie fraud allows attackers to take over valid user sessions.

Cross-Site Request Forgery Attack (CSRF)

A legitimate cookie is received by a user when they visit a legitimate site. However, they then visit a malicious site which instructs the browser of the user to perform an action that targets the legitimate site they’ve previously visited. A request is received by the legitimate site alongside the legitimate cookie, and the same action is performed as it seems to have been triggered by the legitimate user, but it hasn’t, it’s been initiated by the malicious site.

Cookie Tossing Attack

In a cookie tossing attack, a user is provided with a cookie by a malicious site, which has been designed to look like it’s come from the targeted site’s subdomain. For example: http://subdomain.placeholder.com. Therefore, when the user goes to the targeted site (placeholder.com), all of the cookies are sent, including legitimate ones and the subdomain cookie. Where the cookie that’s interpreted first is the subdomain, this data will overrule any of the legitimate data contained in the other valid cookies.

The above examples demonstrate that, in most cases of cookie fraud, the cookies are being used to perform malicious actions using the legitimate user’s identity, or to falsify a legitimate user’s identity.

Protecting Yourself Against Cookie Fraud

The first important thing to note is cookies aren’t viruses, even if they’re malicious. They cannot execute actions on your computer because they’re made up of plain text, which means you aren’t protected against malicious cookies through your antivirus software. Instead, there are a couple of things you can do to prevent yourself from becoming the next cookie fraud victim:

  • Make sure your browser is updated: a lot of the cookie exploits carried out are designed to make use of an outdated browser’s security holes. Today, a lot of browsers update automatically. But if you are using a browser that’s out of date, you should update it straight away.
  • Avoid any sites you’re not sure about: if you ever receive a warning about a site, whether it’s from a search engine or your browser, don’t go onto the site.

Invasion of Privacy

Even though cookie fraud is a concern for many people, the greater worry is the risk posed by the invasion of privacy. When you think about how many websites have a Google resource embedded in them (eg, Google Maps, Analytics, or Adsense), it isn’t hard to work out how Google is constantly adding to its huge record of web users’ cross-site activity. In fact, a lot of users feel as though the use of the information by Google to provide targeted ads is a tad creepy, to say the least. But more worrying still is the potential invasion of privacy that’s occurring.

It isn’t just Google, of course. Many other web advertising platforms, such as Facebook, Disqus, Revcontent, and Infolinks, are trying to improve user targeting and the delivery of relevant ads by mining more and more data about each and every user.

Therefore, if you’re going to use the internet, and you’re going to let your browser accept cookies, your every move is being tracked.

Protecting Your Online Privacy

Unfortunately, there isn’t a clear-cut way around accepting cookies. But, there are a number of things you can do which limit how much time your privacy is invaded by cookies:

  • Look at your browser’s privacy and security settings: firstly, open up the settings menu for your browser and find the privacy and security section. Here, you’ll be able to alter your browser’s cookie policies. You can be as severe as you wish. At the same time, you don’t want to make it too difficult to access certain features on different websites.
  • Use an “Incognito” or “Private” browsing mode: the majority of modern browsers offer you the chance to browse the internet without any cookies. Therefore, when you’re surfing the web, none of your existing persistent cookies will be used, and any persistent cookies created during your time online will be deleted when you close the browser. However, it’s worth bearing in mind that none of your passwords will be saved in this mode. And each time you visit a site it’ll record it as your first ever visit, so you might not be able to see your “favorites” or features such as “recommended for you.”

Viewing and Deleting Your Browser’s Stored Cookies

The process of viewing and deleting the cookies stored by your browser is relatively easy, especially with most modern browsers. Even though this can vary with each browser, you’ll generally need to enter the privacy and security section of your browser’s settings.

Here, you should be able to locate an option which allows you to see the cookies that have been stored. As you view each of these individual cookies, you’ll be given the chance to delete any of the ones you want to permanently remove from your browser, as well as an option to delete them all if you want.

If you do get stuck trying to do this, Google has the answer to everything — simply type in “How to view cookies in [INSERT BROWSER HERE].”

Zombie Cookies

Pay close attention to zombie cookies, as these are cookies that cannot be deleted through your browser’s settings. They’re automatically recreated every time you delete them by a script that’s stored outside the memory of your browser. So, this cookie will be like a bad smell and will continue to reappear. However, this doesn’t necessarily mean they’re a malicious form of cookie; they have legitimate uses. But, because of this strange, undeletable, and somewhat questionable behavior, many privacy advocates, and security experts do disapprove of them.

If you do want to delete a zombie cookie, you’ll need a little more patience, perseverance, and savvy Googling skills, as you’ll need to find other like-minded individuals who’ve managed to get rid of this undeletable cookie. Essentially, you’ll have to work out where the cookie-recreating script is stored so you can delete this script and prevent this zombie cookie from being reborn time and time again.

Controlling Cookies Through Browsers and Devices

Thankfully, you’re online privacy and security isn’t just in the hands of web developers. You can still manage your browser’s cookie policy. All it takes is a little time to work out what cookie policy you need to reduce the risks you’re presented with when using the internet.

Creating a Cookie Control Policy for Your Browser

As we’ve already seen, managing cookies can be different depending on the browser you’re using, but we’ll show you how to manage your cookie policy through the most popular desktop browsers: Chrome, Firefox, Microsoft Edge, and Internet Explorer.

Controlling Cookies in Chrome
  1. Open your settings through the main menu, then scroll to the bottom and click “Show advanced settings…”
  2. Select “Content settings.” As a default, you’ll find the Allow local data to be set (recommended) setting has been preselected for you. This means all first- and third-party cookies are being accepted by Chrome.
  3. If you want to change this policy, there are other options you can choose from, which are:
    1. Keep local data only until you quit your browser: if you want to be able to accept cookies while you’re using the internet but want them deleting as soon as you close your browser, select this option.
    2. Block sites from setting any data: if you want to disable all cookies, select this option.
    3. Block third-party cookies and site data: if you don’t want to accept third-party cookies, select this option.
    4. Manage exception: if you want to manage the sites that have a site-specific cookie policy, click this button to be taken to a list of these websites.
Controlling Cookies in Firefox
  1. Open the “Options” section of your Firefox browser menu and then select the “Privacy” tab.
  2. In the section labeled “History,” you’ll find a drop-down menu where you can click “Use custom settings history.” This will then allow you to select from a number of options, which are:
    1. To disable all cookies, deselect the option Accept cookies from site as this will have been pre-selected as default.
    2. To block all third-party cookies, or to accept all third-party cookies (from sites you’ve visited before), you can deselect or select the option Accept third-party cookies.
    3. To manage websites who’s cookie policy is different from Firefox’s policy, click the Exceptions button.
    4. To choose how long you keep cookies for (eg, until you close the browser or the cookies expire), opt for the Keep until option.
Controlling Cookies in Microsoft Edge
  1. In the settings menu of the browser, click on “View advanced settings” which you’ll find at the bottom of the page.
  2. At the bottom of the next page you’ll find a drop-down menu for cookies, which presents you with three straightforward options, which are:
    1. Don’t block cookies (this will have been preselected by default)
    2. Block all cookies
    3. Block only third-party cookies.

The savvy among you will notice there isn’t the option to delete all cookies when you close Microsoft Edge. However, you are able to do this if you go back into the primary settings menu. At the top of the “Advanced Settings” menu you’ll notice a « button — click on this.

Next, you’ll need to choose the button that says “Choose what to clear”, which is located just below the “Clear browsing data” option. Click the option Cookies and saved website data, before selecting the option that says Always clear this when I close the browser.

Controlling Cookies in Internet Explorer

It doesn’t matter whether you’re using IE 9, 10, or 11, because cookies are all handled in the same way.

  1. Start by opening the “Internet Options” menu before selecting the “Privacy” tab and then the “Advanced” option.
  2. From this next menu you’ll be able to establish what policy you want in place for first- and third-party cookies. You can also override the current cookie policy or you can select Always allow session cookies.
  3. If you want to be able to delete cookies each time Internet Explorer is closed, you’ll just need to return to the “General” tab, before selecting the option — Delete browsing history on exit.
  4. To save and apply these changes, you’ll need to click “Apply,” which is at the bottom of the menu.

Controlling Cookies on Mobile Devices

As a native browser is included with most mobile operating systems, the process of managing cookies on mobile devices can be entirely different to that of desktop browsers. Furthermore, the mobile version of a desktop browser may not present you with as many options, which can create further complications.

To help you along the way, here’s how you can manage cookies on iOS, Android, and Blackberry mobile devices:

Controlling Cookies on an Apple iOS Device
  1. If on iOS you use Safari, you can use the “Settings” app to manage your cookie policies.
  2. Simply scroll down to select “Safari.” Once in this section, you’ll need to scroll down to the option “Block cookies.” Here, you’ll be presented with four options, which are:
    1. Always Block
    2. Allow from Current Website Only (these are first-party cookies)
    3. Allow from Websites I Visit (this allows a limited number of third-party cookies and is the default option)
    4. Always Allow.

However, if you’re using Chrome, you won’t be able to manage the cookie policy. You will, however, be able to delete them. To delete the cookies on Chrome, you’ll need to open the app and select the “Settings” option from the menu. Scroll down to “Privacy” and then to “Clear Browsing Data.” Here you can select what it is that you want to delete, so make sure you select “Site Data” and “Cookies” before selecting to “Clear Browsing Data.”

Regardless of whether you’re using Chrome or Safari, you will be given the option to browse “Incognito” or “Privately”, respectively. Simply open up a new tab using these options, making sure you close this tab when you’ve done so no cookies are stored after your browsing session has finished.

Controlling Cookies on an Android Device

A built-in browser is standard with most Android devices, however, these browsers can vary with each phone model and manufacturer. Therefore, how you manage the cookies in these browsers can vary quite a lot.

In general, you’ll need to open up the browser, and the browser’s settings menu, before locating the privacy settings. If your phone is using Chrome, you’ll be able to manage your cookie policy with ease. All you need to do is go to the menu and find “Settings”, navigating yourself to “Site Settings” before selecting “Cookies.” Here, you’ll be able to turn on or off your acceptance of cookies, deciding whether you want to Allow third-party cookies or not, while also managing the websites that are exempt from Chrome’s cookie policy.

Controlling Cookies on a Blackberry Device

You will find some of the more recent Blackberry devices are run by Android, which means managing cookies on these phones can be done using the procedure discussed in the Android section above. However, if your device is running Blackberry 10, you’ll need to do the following:

  1. Run the browser and go to its menu
  2. Choose “Settings” before clicking “Privacy and Security”
  3. Here, you’ll be able to choose whether you want to accept cookies or not, clear all cookies, and manage the exceptions of certain websites.

Understanding Cookies — A Developer’s Guide

As cookies are only text files, many wrongly believe they’ll be easy to deal with. But that’s not true.

Depending on the server that’s issuing the cookie or the cookie’s overall purpose, cookies can be used in a variety of different ways. In this section of our in-depth guide, we’ll discuss (briefly) how you can implement cookies, before delving into the legalities involved with using them.

Finally, we’ll finish with a number of resources that provide even more information on implementing cookies, and how you can utilize these in your web development role.

Implementing Cookies on a Technical Level

A cookie is created when a browser is told to create one by a web server. These instructions are normally sent in a HTTP header, looking a bit like this:

Set-Cookie: <cookie_name>=<cookie_value>

The document.cookie method through client-side JavaScript can also be used to create cookies.

Then, once a browser has created a cookie, when any requests are made by the browser for the same domain, any cookies that belong to this domain will be sent back as part of the request.

In the example above, you’ll find a “session cookie.” But you can create persistent cookies by adding the attribute “Expires” into the Set-Cookie header. You may also want to add a number of other attributes which will help you to control how cookies are treated by browsers. These include:

  • A “Secure” attribute: this tag for cookies will only be sent if the browser’s request is sent through an encrypted protocol (https).
  • A “HttpOnly” attribute: when a cookie is flagged with this attribute, it won’t be accessible to JavaScript in the webpage’s Document Object Model (DOM), and will only be transmitted back to the domain that issued it.
  • A “SameSite” attribute: this attribute makes sure cookies are only transmitted back to their originating website. The use of these cookies is relatively new.

The Legal Side of Cookies

Being aware of the directives and privacy laws involved in cookies is crucial when you’re a web developer. Ignoring the laws involved in the application of cookies could result in a steep fine, or worse.

So, when you start using cookies, here are three legal issues you’ll need to take note of first:

EU Cookie Law

Even though this started out as a directive, every country in the EU has now had to incorporate this into law. This law states that, if your website is targeting consumers in an EU country or your business is based in the EU, you must get permission from a user before you use cookies.

FTC Disclosure Requirements

Two of the primary uses of cookies are for affiliate sales and advertising through third-party tracking. However, if you’re using cookies with this in mind, the FTC states that you must make visitors aware of what you’re doing.

Privacy Policy Documents

In several countries, including the US, Australia, UK, and every country in the EU, you must let a user know what you’re using their personal data for. So, if you’re using a cookie to track their activity (eg, Google Analytics), you’re legally required to publish a privacy policy which explains what data you’re collecting and how you’re using it.

It’s not hard to comply with the laws in place for cookies, and, in most cases, you’ll only need to do the following:

  • If you’re targeting consumers in the EU or you’re based in the EU, be sure to make users aware that your site is using cookies and they accept this.
  • If you have affiliate ads placed on your site or you’re allowing paid advertisements, make sure there’s an obvious disclosure on your site that shows this information.
  • If you’re collecting any user data or you’re tracking users’ activity, include a detailed privacy policy on your website that shows what data you’re using and how it’s being used.

Complying with these three guidelines will help you to stick to the various laws that are in place. However, this isn’t legal advice, so if you do have any questions about the legal implications of cookies, you should seek professional advice from a specialist lawyer.

Resources

As promised, here’s an extensive list of resources that help you choose how you’re going to use cookies on your website. These websites and tutorials will help you decipher what information you need to create the cookies on your application or website:

Conclusion

It’s obvious cookies are integral to the internet, but along with their benefits there are also disadvantages. Even though they provide a website with features that are business critical, they also present users with a number of privacy and security issues.

However, it’s clear cookies aren’t going to be going anywhere soon because most websites are using them in one way or another. Therefore, educating yourself on how cookies work and how you can protect yourself from cookie fraud and invasion of your privacy, you can be better prepared to take advantage of them without putting yourself at any risk.