HTTP Cookies: What is a cookie? How it works and how to avoid danger
WebscrapingAPI on Nov 08 2022
Cookies have become an integral part of the modern internet browsing experience. They are used by over 40.9% of all websites.
They help websites remember your browsing activity from other internet users to offer a personalized experience. Hence, it can help sites remember your online shopping cart, web logins, and more.
Most websites are required to ask for your consent when offering cookies. Although cookies can enrich your browsing activity, they can also be a threat to your online privacy.
For hackers to access your online activities, cookies may contain sensitive information, such as login info. Moreover, some cookies can track you without your consent or knowledge.
Therefore, learning about cookies and their usage is important to better protect your privacy. First, let us know more about them in detail and learn about HTTP cookies.
A Brief About HTTP Cookies
HTTP cookies were based upon "magic cookies," coined from "fortune cookies." Lou Montulli repurposed magic cookies to create the HTTP cookies used today. He was a web browser programmer who created HTTP cookies in 1994.
Although the function and usage of these cookies remain the same, there are certain differences between the old cookies and the HTTP cookies we use today. Let's look at them in the following:
Magic cookies are an outdated computing term mostly used by Ubuntu programmers. They were packets of information sent back and forth without any change in the info. It was generally used for saving login information on an internal business network in a computer database system.
As mentioned earlier, Lou Montulli took inspiration from magic cookies to create HTTP cookies for web browsers. Initially, it was done to help online shopping websites fix overloaded servers and remember items in shopping carts. They are the cookies that are most prominently used today.
Similar to other cookies, HTTP cookies contain pieces of information sent to a user's web browser by the web server. Information like usernames and passwords are sent to the user with a unique ID labeled to it.
The unique IDs help the web server to differentiate one user from another to help improve the browsing experience. Once the cookies are sent to the browser, they are stored on the user's computer.
Hence, the same cookies are sent to the server when the user visits the website again. It also helps to tell if the browser has sent more than one request and remembers stated information from stateless HTTP protocol.
Usage of HTTP Cookies
HTTP cookies have become a core part of web development, and all modern browsers support them. As a result, most web pages become useless if they are not using cookies. Information stored in cookies does not necessarily carry personal info. However, some cookies can contain personal data only if the user has consented to it.
Cookies are important for websites that require customizable themes, logins, and other advanced features. Commonly, they are used in advertising to show ads based on the user's recent online activity and preferences.
Hence, HTTP cookies are used for the following main reasons:
A session is the amount of time a user spends on a website. During the entire session, a user interacts with the website in different ways.
Some common actions include logging in and adding items to shopping carts. With the help of cookies, the user's activity and preferences are saved in the form of cookies sent by the web server.
Hence, it helps the user from logging in or adding items to shopping carts again if they accidentally close the website. The cookies will remember such information and help the user save time on repetitive tasks. Therefore, cookies help the website remember any information it should remember.
The main function of a dynamic website is to allow the user to customize the site functions according to their needs and preferences.
Some common things include customizing colors, setting the location from where the user is based, and other elements like language preference and the type of web browser used by the user.
Although most web browsers have the same functions, some browsers can display web pages a little differently from other browsers.
Hence, cookies are responsible for remembering and storing this information to help the user get a better online experience. Hence, the cookies can tell the server about the user's preferences when they visit the site next time.
To add to the previous point, some cookies are also used for tracking users' online activity. Cookies are simple text files that contain pieces of user information to help the server learn about their interests and preferences. Hence, it allows them to modify website elements according to the user.
However, some cookies can analyze and record user behavior as and when they visit a website or if the browser makes an HTTP request. The information obtained from a user's online activity is pieced together to create an online profile of the user.
When other websites access this information, it helps them modify their elements to match the user's preferences.
Recently, Ebiquity and Usercentrics utilized the deep scanning technology of Cookiebot CMP to find that over 92% of overall websites used at least one tracking cookie.
Types of HTTP Cookies
HTTP cookies are available in two main types. They are known as session cookies and persistent cookies.
As the name suggests, session cookies are temporary in nature, while persistent cookies are used and accessed for longer periods. Hence, they can be better defined in the following:
- Session Cookies
As mentioned earlier, a session is defined by the amount of time spent by a user on a particular website.
Similarly, session cookies are pieces of information used and accessed only during that time of visitation. It is stored in a random access memory, not in the local hard drive.
For the most part, session cookies are only used while navigating a website. For example, when a user is exploring the website to find information or to buy products. Session cookies are automatically deleted whenever a user closes the website, and the session ends.
The most common usage of session cookies is to enable third-party anonymizer plugins to work and to enable the back button to remember the state of the website. They are mainly used to maintain user privacy.
- Persistent Cookies
Compared to session cookies, persistent cookies are stored on the hard drive of the user's computer. It can stay on the system indefinitely until manually removed by the user.
However, most persistent cookies have an expiration date, after which they automatically remove themselves from the computer.
Persistent cookies are commonly used for the following reasons:
The user's login information is stored in persistent cookies. It helps the website to remember the user and prevent them from logging in again. As a result, it aims to streamline the login experience for the users.
Hence, they do not have to enter their login credentials again and again since the cookies are responsible for remembering the passwords.
Persistent cookies are responsible for tracking a user if they visit a website multiple times. It helps to remember the users' preferences and keep track of web pages and elements that users interact with during their visits.
Based on this activity, the website can recommend similar information or products to keep the user on the website.
How Do HTTP Cookies Work?
The process of creating HTTP cookies is very simple. Whenever a user sends an HTTP request to the server to access a web page, the cookies are sent along with a reply.
The web browser accepts the response and receives and stores the cookies permanently or for the session duration. It depends on the type of website the user visits.
However, different levels of cookies are created and sent to the user's system. These include the following:
1. First-Party Cookies
When the cookie scheme and domain match the current website, they are first-party cookies. It is the most privacy-friendly cookie and is not accessed by other websites. Therefore, it is the safest level of cookies for a user.
2. Third-Party Cookies
Alternatively, a cookie with a different scheme and domain from the web server is considered a third-party cookie. It means that the cookies provided to the user are not from the same site. These types of cookies are mostly used for tracking user behavior and advertising.
The most common example of a third-party cookie is cookies used by Google. Their advertising board, AdSense, uses third-party cookies to show products and information based on your online activities and search terms.
A website uses third-party cookies if images or other elements are stored on different web servers. By default, most browsers are set to block third-party cookies containing trackers. This is because third-party cookies are also known as tracking cookies.
Hence, they can assess a user's browsing habits and history when accessing multiple websites. Some extensions can also block third-party cookies to maintain privacy.
3. Zombie Cookies
Zombie cookies are an extension of third-party cookies stored on the hard drive for an indefinite period. It continues to persist and re-appears even after being deleted. Zombie cookies first originated from information created and stored by Adobe Flash Storage Bin.
Hence, they are also known as flash cookies and can be difficult to delete from the system. Reportedly, the "Zombie Cookie," aka Flash Cookie filings, forced Adobe Systems Inc. to stop processing flash cookies on 98% of all consumers' computing devices.
Web analytics companies generally use it to track users' browsing histories and online activities. Often, it is used to ban users from accessing a website.
Why Can HTTP Cookies Be Dangerous?
For starters, it is important to note that cookies are not malware or a virus. It is a simple file that contains information about the user's browsing habits and session data.
However, a cyberattack on a computer system can access these cookies to gain access to a user's browsing session. Hence, the hackers can "replicate" the user's online activity on their system with the help of information stored in cookies.
Data and information stored in a cookie do not change throughout its lifetime. As a result, cookies can be dangerous due to the type of information they store. If a hacker gains access to this information, it can be used against the user indiscriminately.
Regulations On HTTP Cookies
By now, you must have noticed that most websites ask for your consent before creating and storing cookies on your hard drive. Hence, you can accept or reject cookies based on your preferences. Rejecting cookies does not make much of a difference to the web page.
However, it can affect your browsing experience if the web page uses elements stored in other servers, i.e., third-party cookies.
The prerequisite mentioned above is required by default due to the following regulating authorities:
- The General Data Privacy Regulation (GDPR) in the European Union
- The ePrivacy Directive in the EU
- The California Consumer Privacy Act
All the above regulating authorities have a global reach and are required by any website on the World Wide Web. Therefore, all websites are required to notify the users what type of cookies they use and should ask for consent before creating and storing these cookies.
They are also required to provide most of their online website experience without using cookies.
How to Identify Safe HTTP Cookies?
As mentioned earlier, first-party cookies have the same scheme and domain as the website. Hence, first-party cookies are the most secure and privacy-friendly cookies. They are used for browsing only that website and cannot be accessed by other sites.
Subsequently, always look at the domain in the address bar when visiting a website. Make sure that they are using an HTTPS protocol.
For example, if the web page address is something like https://www.google.com/, then it is a safe site. However, if the website has an 'HTTP' protocol, it is not secure, and third parties can access its cookies.
To summarize, HTTP cookies are an important part of a seamless website experience.
They are used to remember important information like usernames and passwords to save the user from carrying out repetitive actions. It also helps the users to browse the website according to their needs and preferences.
Always be wary of websites that use third-party cookies and do not have an 'HTTPS' protocol. Such websites can store cookies on your system that hackers or other websites can access.
Cookies now use modern APIs to store themselves on the system. Such modern APIs known as web storage API and indexed databases are used for local storage. Hence, you can identify these APIs with the help of WebScrapingAPI.