Cookies, or, to give them their formal name, HTTP cookies, are text files made up of tiny bits of data, which are stored on a web browser. These tiny bits of data are used by websites to track a user's journey, enabling them to offer features that are specific to each individual user. Because of this, cookies are at the heart of a website's functionality. For example, they can be used for shopping carts on e-commerce sites.
On the one hand, cookies are integral to the way the internet works, but they're also a cause for concern when it comes to security and privacy risks. However, by understanding how cookies work, both day-to-day users and developers can protect themselves from the negative aspects of these tiny bits of data.
With this in mind, this guide provides an in-depth overview to cookies. It has been broken down into two usable parts:
- Understanding Cookies — A Layman's Guide: all of the basics you need to know as an everyday internet user.
- 1 Understanding Cookies — A Layman's Guide
- 1.1 The History of Cookies
- 1.2 What Is a Cookie Made Up Of?
- 1.3 Different Types of Cookies
- 1.4 The Risks of Cookies and What You Need to Watch out For
- 1.5 Protecting Yourself Against Cookie Fraud
- 1.6 Invasion of Privacy
- 1.7 Controlling Cookies Through Browsers and Devices
- 1.7.1 Creating a Cookie Control Policy for Your Browser
- 1.7.2 Controlling Cookies on Mobile Devices
- 2 Understanding Cookies — A Developer's Guide
- 3 Conclusion
Understanding Cookies — A Layman's Guide
Having a basic understanding of HTTP cookies is essential for every internet user, regardless of whether you're just using it for personal use or you're a web developer who's making a living from it. These basics include what purpose cookies serve, and what security and privacy risks they pose. However, to give you a better overview, we thought it was worth delving into the history of cookies and where they came from, so here goes!
The History of Cookies
In 1994, Lou Montulli developed cookies for the first time. As a Netscape Communications employee, Montulli worked alongside John Giannandrea to develop cookies into a unique solution that would help make shopping carts for e-commerce stores possible. This means the first primary usage of cookies on the internet was to establish whether a visitor coming to Netscape's website had already visited it or not.
At the start, all supported browsers accepted cookies by default, which meant hardly any end users were aware of their use or presence. However, in February 1996, this changed, when their use, purpose, and existence were revealed in a piece published by The Financial Times. Over the next few years, the media placed cookies under intense scrutiny due to the privacy risks created as they tracked visitors across a website.
This resulted in the internet Engineering Task Force (IETF) being tasked with establishing a formal cookie specification. Agreeing with the media's concerns, particularly with the risks involved in third-party cookies (AKA: tracking cookies), the IETF tried to make it a requirement that all third-party cookies were disallowed, or, they were only allowed once a user had explicitly opted into them.
However, the industry-leading browser developers (eg, Microsoft and Netscape) didn't follow these recommendations and continued to allow tracking cookies from third-parties, such as online advertisers.
Today, even though the IETF's cookie specification acknowledges the use of tracking cookies and the risks they poses, it places much of the responsibility of managing this risk onto browser developers, “This document grants user agents [browsers] wide latitude to experiment with third-party cookie policies that balance the privacy and compatibility needs of their users.”
However, there are other legalities that have come into play with regards to cookies. We'll take a look at these later on in the guide.
What Is a Cookie Made Up Of?
For each specific user, there will be bits of data that are associated with them by cookies. For example, when you go to a website, you may be identified as “User X” by a cookie that's been delivered by the site. Therefore, if you leave the site but return to it later, the cookie you've been given will be used by the site to identify you as “User X” who's been on the website before.
At a minimum, cookies contain two bits of data: an identifier for a unique user and some information about this user. However, they can also contain a whole host of attributes that inform browsers what they should do with the cookie — something we'll touch on in the developer-targeted part of this guide.
A common working example of this is what's known as an authentication cookie. For example, when you log into a site, a cookie may be returned that identifies your account, confirming you've successfully logged in. Then, when you interact with this website in the future, this cookie will act as confirmation that you're a user who's logged into the site.
Different Types of Cookies
There are a number of different ways cookies can be grouped together, and below we'll look at the four most common. This should hopefully add to your understanding of how they are used as well as how they work.
These cookies are temporary and will only be stored in the memory of your browser while it's open. When it's closed, the cookie will be removed from your browser's history, and, because of this, they are a lower security risk. You'll often find these cookies working within e-commerce shopping carts, controlling what a user sees on a page when they're conducting a one-off, multi-page site visit, or for other storage means that are short-term.
These cookies are used over a much longer period of time, as an expiration date is tagged to them by the issuer. This means, even when your browser is closed, the cookie will be stored on it. And each time you return to the website that created this cookie, or you go to a website that has a resource produced by the cookie's issuer (eg, an ad), this data is returned to the issuer.
Persistent cookies, can, therefore, track your browsing activity not just on the original site where the cookie was created but on other sites that have a resource which has been produced by the original site. For example, Facebook and Google use these kinds of mechanisms to create a user activity log across a range of different websites. So, when you click “Remember Me” (or something similar) after you've logged into your online account somewhere, you'll be creating a persistent cookie, which will store your login details on your browser.
As these persistent cookies are present for a longer period than session cookies, and can essentially track what you're doing over more than one site, a greater security risk is posed by them.
Created by a site you're visiting, first-party cookies help a website carry out a number of purposes, such as allowing you to add more than one item to your online order. If you disabled first-party cookies, every time you added an item to your shopping cart it would be treated as a new order as you'd be unable to purchase more than one item in one transaction.
Created by a site you're not currently visiting, third-party cookies are most commonly used to track a user who's clicked on an ad, associating them with the domain that's referred them. For example, if you're on a website and you click on an advertisement, a third-party cookie is generated to associate your traffic with the website where the advertisement was shown.
Even though cookies do play a very important role in our browsing activities, there are a number of threats posed by these, especially when it comes to the invasion of privacy and the security of websites that are using them.
The Risks of Cookies and What You Need to Watch out For
When you're using the web, you'll want to know what risks are presented to you by cookies, how you can view them, and how to delete them, if necessary. To start with, we'll look at the risks involved with cookies, which can be placed into two categories — fraud and the invasion of one's privacy.
Although quite complex, it's worth familiarizing yourself with cookie fraud in case you come across a site that's exploiting users through this method.
In a lot of cases, cookie fraud will either be a malicious website attacking another website by using legitimate uses as a proxy, or a legitimate user's activity being tagged with a false session ID for game tracking systems.
Here are four common types of cookie fraud and what they involve:
Cross-Site Scripting (XSS)
Here, a user will receive a cookie after they've visited a malicious website. This cookie contains a script payload that targets another website, but the malicious cookie is in disguise and looks as though it's come from the website that's being targeted. Therefore, when a user visits the targeted site, this fraudulent cookie (and its script payload) is sent to the targeted site's server.
This type of vulnerability may be used by attackers to get past certain access controls like the same-origin policy.
When this occurs, a user will be given a malicious cookie that contains the session ID of the cookie's issuer. Then, when the innocent user goes to log into a domain that's being targeted, the user's session ID isn't logged but the cookie issuer's is. This makes it look as though the issuer is performing certain actions on the targeted domain but it's the user that's actually performing them.
This type of cookie fraud allows attackers to take over valid user sessions.
Cross-Site Request Forgery Attack (CSRF)
A legitimate cookie is received by a user when they visit a legitimate site. However, they then visit a malicious site which instructs the browser of the user to perform an action that targets the legitimate site they've previously visited. A request is received by the legitimate site alongside the legitimate cookie, and the same action is performed as it seems to have been triggered by the legitimate user, but it hasn't, it's been initiated by the malicious site.
Cookie Tossing Attack
In a cookie tossing attack, a user is provided with a cookie by a malicious site, which has been designed to look like it's come from the targeted site's subdomain. For example: http://subdomain.placeholder.com. Therefore, when the user goes to the targeted site (placeholder.com), all of the cookies are sent, including legitimate ones and the subdomain cookie. Where the cookie that's interpreted first is the subdomain, this data will overrule any of the legitimate data contained in the other valid cookies.
The above examples demonstrate that, in most cases of cookie fraud, the cookies are being used to perform malicious actions using the legitimate user's identity, or to falsify a legitimate user's identity.
Protecting Yourself Against Cookie Fraud
The first important thing to note is cookies aren't viruses, even if they're malicious. They cannot execute actions on your computer because they're made up of plain text, which means you aren't protected against malicious cookies through your antivirus software. Instead, there are a couple of things you can do to prevent yourself from becoming the next cookie fraud victim:
- Make sure your browser is updated: a lot of the cookie exploits carried out are designed to make use of an outdated browser's security holes. Today, a lot of browsers update automatically. But if you are using a browser that's out of date, you should update it straight away.
- Avoid any sites you're not sure about: if you ever receive a warning about a site, whether it's from a search engine or your browser, don't go onto the site.
Invasion of Privacy
Even though cookie fraud is a concern for many people, the greater worry is the risk posed by the invasion of privacy. When you think about how many websites have a Google resource embedded in them (eg, Google Maps, Analytics, or Adsense), it isn't hard to work out how Google is constantly adding to its huge record of web users' cross-site activity. In fact, a lot of users feel as though the use of the information by Google to provide targeted ads is a tad creepy, to say the least. But more worrying still is the potential invasion of privacy that's occurring.
It isn't just Google, of course. Many other web advertising platforms, such as Facebook, Disqus, Revcontent, and Infolinks, are trying to improve user targeting and the delivery of relevant ads by mining more and more data about each and every user.
Therefore, if you're going to use the internet, and you're going to let your browser accept cookies, your every move is being tracked.
Protecting Your Online Privacy
Unfortunately, there isn't a clear-cut way around accepting cookies. But, there are a number of things you can do which limit how much time your privacy is invaded by cookies:
- Look at your browser's privacy and security settings: firstly, open up the settings menu for your browser and find the privacy and security section. Here, you'll be able to alter your browser's cookie policies. You can be as severe as you wish. At the same time, you don't want to make it too difficult to access certain features on different websites.
- Use an “Incognito” or “Private” browsing mode: the majority of modern browsers offer you the chance to browse the internet without any cookies. Therefore, when you're surfing the web, none of your existing persistent cookies will be used, and any persistent cookies created during your time online will be deleted when you close the browser. However, it's worth bearing in mind that none of your passwords will be saved in this mode. And each time you visit a site it'll record it as your first ever visit, so you might not be able to see your “favorites” or features such as “recommended for you.”
Viewing and Deleting Your Browser's Stored Cookies
The process of viewing and deleting the cookies stored by your browser is relatively easy, especially with most modern browsers. Even though this can vary with each browser, you'll generally need to enter the privacy and security section of your browser's settings.
Here, you should be able to locate an option which allows you to see the cookies that have been stored. As you view each of these individual cookies, you'll be given the chance to delete any of the ones you want to permanently remove from your browser, as well as an option to delete them all if you want.
If you do get stuck trying to do this, Google has the answer to everything — simply type in “How to view cookies in [INSERT BROWSER HERE].”
Pay close attention to zombie cookies, as these are cookies that cannot be deleted through your browser's settings. They're automatically recreated every time you delete them by a script that's stored outside the memory of your browser. So, this cookie will be like a bad smell and will continue to reappear. However, this doesn't necessarily mean they're a malicious form of cookie; they have legitimate uses. But, because of this strange, undeletable, and somewhat questionable behavior, many privacy advocates, and security experts do disapprove of them.
If you do want to delete a zombie cookie, you'll need a little more patience, perseverance, and savvy Googling skills, as you'll need to find other like-minded individuals who've managed to get rid of this undeletable cookie. Essentially, you'll have to work out where the cookie-recreating script is stored so you can delete this script and prevent this zombie cookie from being reborn time and time again.
Controlling Cookies Through Browsers and Devices
Creating a Cookie Control Policy for Your Browser
Controlling Cookies in Chrome
- Open your settings through the main menu, then scroll to the bottom and click “Show advanced settings…”
- Select “Content settings.” As a default, you'll find the Allow local data to be set (recommended) setting has been preselected for you. This means all first- and third-party cookies are being accepted by Chrome.
- If you want to change this policy, there are other options you can choose from, which are:
- Keep local data only until you quit your browser: if you want to be able to accept cookies while you're using the internet but want them deleting as soon as you close your browser, select this option.
- Block sites from setting any data: if you want to disable all cookies, select this option.
- Block third-party cookies and site data: if you don't want to accept third-party cookies, select this option.
Controlling Cookies in Firefox
- Open the “Options” section of your Firefox browser menu and then select the “Privacy” tab.
- In the section labeled “History,” you'll find a drop-down menu where you can click “Use custom settings history.” This will then allow you to select from a number of options, which are:
- To disable all cookies, deselect the option Accept cookies from site as this will have been pre-selected as default.
- To block all third-party cookies, or to accept all third-party cookies (from sites you've visited before), you can deselect or select the option Accept third-party cookies.
- To choose how long you keep cookies for (eg, until you close the browser or the cookies expire), opt for the Keep until option.
Controlling Cookies in Microsoft Edge
- In the settings menu of the browser, click on “View advanced settings” which you'll find at the bottom of the page.
- At the bottom of the next page you'll find a drop-down menu for cookies, which presents you with three straightforward options, which are:
- Don't block cookies (this will have been preselected by default)
- Block all cookies
- Block only third-party cookies.
The savvy among you will notice there isn't the option to delete all cookies when you close Microsoft Edge. However, you are able to do this if you go back into the primary settings menu. At the top of the “Advanced Settings” menu you'll notice a « button — click on this.
Next, you'll need to choose the button that says “Choose what to clear”, which is located just below the “Clear browsing data” option. Click the option Cookies and saved website data, before selecting the option that says Always clear this when I close the browser.
Controlling Cookies in Internet Explorer
- Start by opening the “Internet Options” menu before selecting the “Privacy” tab and then the “Advanced” option.
- If you want to be able to delete cookies each time Internet Explorer is closed, you'll just need to return to the “General” tab, before selecting the option — Delete browsing history on exit.
- To save and apply these changes, you'll need to click “Apply,” which is at the bottom of the menu.
Controlling Cookies on Mobile Devices
As a native browser is included with most mobile operating systems, the process of managing cookies on mobile devices can be entirely different to that of desktop browsers. Furthermore, the mobile version of a desktop browser may not present you with as many options, which can create further complications.
To help you along the way, here's how you can manage cookies on iOS, Android, and Blackberry mobile devices:
Controlling Cookies on an Apple iOS Device
- If on iOS you use Safari, you can use the “Settings” app to manage your cookie policies.
- Simply scroll down to select “Safari.” Once in this section, you'll need to scroll down to the option “Block cookies.” Here, you'll be presented with four options, which are:
- Always Block
- Allow from Current Website Only (these are first-party cookies)
- Allow from Websites I Visit (this allows a limited number of third-party cookies and is the default option)
- Always Allow.
Regardless of whether you're using Chrome or Safari, you will be given the option to browse “Incognito” or “Privately”, respectively. Simply open up a new tab using these options, making sure you close this tab when you've done so no cookies are stored after your browsing session has finished.
Controlling Cookies on an Android Device
A built-in browser is standard with most Android devices, however, these browsers can vary with each phone model and manufacturer. Therefore, how you manage the cookies in these browsers can vary quite a lot.
Controlling Cookies on a Blackberry Device
You will find some of the more recent Blackberry devices are run by Android, which means managing cookies on these phones can be done using the procedure discussed in the Android section above. However, if your device is running Blackberry 10, you'll need to do the following:
- Run the browser and go to its menu
- Choose “Settings” before clicking “Privacy and Security”
- Here, you'll be able to choose whether you want to accept cookies or not, clear all cookies, and manage the exceptions of certain websites.
Understanding Cookies — A Developer's Guide
As cookies are only text files, many wrongly believe they'll be easy to deal with. But that's not true.
Depending on the server that's issuing the cookie or the cookie's overall purpose, cookies can be used in a variety of different ways. In this section of our in-depth guide, we'll discuss (briefly) how you can implement cookies, before delving into the legalities involved with using them.
Finally, we'll finish with a number of resources that provide even more information on implementing cookies, and how you can utilize these in your web development role.
Implementing Cookies on a Technical Level
A cookie is created when a browser is told to create one by a web server. These instructions are normally sent in a HTTP header, looking a bit like this:
Then, once a browser has created a cookie, when any requests are made by the browser for the same domain, any cookies that belong to this domain will be sent back as part of the request.
In the example above, you'll find a “session cookie.” But you can create persistent cookies by adding the attribute “Expires” into the Set-Cookie header. You may also want to add a number of other attributes which will help you to control how cookies are treated by browsers. These include:
- A “Secure” attribute: this tag for cookies will only be sent if the browser's request is sent through an encrypted protocol (https).
- A “SameSite” attribute: this attribute makes sure cookies are only transmitted back to their originating website. The use of these cookies is relatively new.
The Legal Side of Cookies
Being aware of the directives and privacy laws involved in cookies is crucial when you're a web developer. Ignoring the laws involved in the application of cookies could result in a steep fine, or worse.
So, when you start using cookies, here are three legal issues you'll need to take note of first:
EU Cookie Law
FTC Disclosure Requirements
Two of the primary uses of cookies are for affiliate sales and advertising through third-party tracking. However, if you're using cookies with this in mind, the FTC states that you must make visitors aware of what you're doing.
It's not hard to comply with the laws in place for cookies, and, in most cases, you'll only need to do the following:
- If you're targeting consumers in the EU or you're based in the EU, be sure to make users aware that your site is using cookies and they accept this.
- If you have affiliate ads placed on your site or you're allowing paid advertisements, make sure there's an obvious disclosure on your site that shows this information.
Complying with these three guidelines will help you to stick to the various laws that are in place. However, this isn't legal advice, so if you do have any questions about the legal implications of cookies, you should seek professional advice from a specialist lawyer.
- Oracle Lesson: Working with Cookies: this resource is aimed at Java developers and provides an introduction to cookies.
- JayConrod.com — How to Use HTTP Cookies in Python: if you're a Python developer, this tutorial provides a great introduction to HTTP cookies on this platform.
- The Odin Project — Sessions, Cookies, and Authentication: here you'll find a great introduction to cookies if you're a Ruby on Rails web developer.
- Microsoft.com — ASP.NET Cookies Overview: are you an ASP.NET developer? If so, this is the ultimate guide to cookies for you.
- Hongkiat — How to Use Cookie and HTML5 localStorage: this guide talks about the new storing cookie strategies added to HTML5, teaching you how to make the most of these advantageous features.
- Mozilla Development Network — HTTP Cookies: if you're using HTTP cookies instead, this offers a great technical introduction to them.
- W3Schools.com — PHP 5 Cookies Tutorial: learn how to create and retrieve cookies with PHP. Also: modify cookie values, delete cookies, and check if cookies are enabled in a script.
It's obvious cookies are integral to the internet, but along with their benefits there are also disadvantages. Even though they provide a website with features that are business critical, they also present users with a number of privacy and security issues.
However, it's clear cookies aren't going to be going anywhere soon because most websites are using them in one way or another. Therefore, educating yourself on how cookies work and how you can protect yourself from cookie fraud and invasion of your privacy, you can be better prepared to take advantage of them without putting yourself at any risk.