Back to top

The indispensable source for professionals who create, implement and service technology solutions for entrepreneurs to enterprise.

In the Zone

Tech Explainer: Cookies – What they do, how they do it

Kevin Jacoby's picture

by Kevin Jacoby on 11/23/2022
Blog Category: devices

Cookies are as ever-present as they are benignly named. Nearly every website you visit attempts to store a cookie in your browser. 
 
Most cookies are safe and provide helpful functionality designed to make web browsing more accessible. For the most part, they’re a good thing.
 
But aren’t some cookies malicious? You bet. 
 
Because of cookies’ ubiquity, cybercriminals are forever attempting to use them to infiltrate our browsers and, by extension, our computers. The bad guys can hijack cookies to impersonate a user and gain unauthorized access to personal information. 
 
To keep criminals’ hands out of the cookie jar, developers now generate an HTTPOnly flag. This protects cookies against being observed by unauthorized third parties. 
 
HTTPonly cookie
 
Cookie flagged as HTTPOnly 
 
This safeguard also prevents a cookie from being sent over an unencrypted HTTP request. That’s how a cookie can be coopted by the bad guys. 
 
What are cookies, anyway?
 
Cookies—also known as HTTP cookies, browser cookies, internet cookies and web cookies—are tiny text files. They’re left in our browsers by the websites we visit. 
 
The first cookie dates back to 1994. That’s when Lou Montulli, a programmer for the now-defunct Netscape Communications, coined the name by adapting another techie term: magic cookies. That’s what Unix programmers call packets of data that a program receives and sends back unchanged.
 
Today, cookies come in 3 distinct flavors:
 
> Persistent Cookies make it easier to login to a website by storing information like your username and password. While this kind of cookie may stay in your browser for an extended period, it always comes with an expiration date.
 
> First-Party or Session Cookies exist only as long as a browser stays open. This cookie helps to keep items in a shopping cart even when the user navigates to another page. By design, this type of cookie is deleted once the browser is closed. 
 
> Third-Party Cookies are the unwanted oatmeal-raisins in the cookie jar. Commonly known as tracking cookies, they’re used by advertisers to collect data and display ads based on our browsing behavior. 
 
If you’ve ever looked at a pair of shoes online and then seen an ad for those same shoes on a different site, it’s because you were tracked across the web by a third-party cookie.
 
Helpful insights 
 
Cookies may sometimes feel invasive, but they serve a valuable purpose: helping to tailor a website’s experience to our tastes. Cookies also enhance usability by storing information such as form data, preferences and activity. 
 
For website owners, cookies also provide insights that help them to better understand their viewers. For instance, a cookie could tell a web developer the path a viewer took from the home page to the sale of a product. 
 
For developers, it can be helpful to know that a particular banner or message prompted the user to read specific information before adding a product to their shopping cart. And that’s the kind of information developers can get from cookies.
 
So how do cookies work?
 
The way a cookie works is an exercise in simplicity. When your browser requests a web page, the server sends you the page with a cookie. This tiny text file is then stored on your device’s local hard drive. 
 
In the case of persistent and third-party cookies, if and when you return to the same site, the browser will associate the cookie with its corresponding website. 
 
At that point, the website can issue instructions to your browser. Depending on the site, that might be “Fill in the username,” “Render the website in Spanish,” or “Only suggest pants with a 32-inch inseam.”
 
But this simple process became more complicated in 2002, when the European Union issued a directive called the ePrivacy Directory (EPD), commonly referred to as The Cookie Law. It gives individuals the right to refuse cookies that they believe violate their online privacy.
 
This law is also why we must all accept or deny the use of cookies whenever we call up a new website. And when you accept or customize the cookies on a given site, that action is stored—wait for it—as a cookie. Go figure.
 
How long will cookies be with us? 
 
No one knows for sure. But it seems pretty clear cookies won’t be around forever. 
 
That’s because we have a love-hate relationship with cookies. Despite their convenience, cookies are a form of data collection. And that’s something the web-browsing public tends to look askance at. 
 
We don’t like the idea of Big Tech spying on us. Even though cookies benefit both parties, something about them still feels invasive. 
 
The war against cookies has in fact begun. Web browsers including Apple’s Safari, Duck Duck Go and Brave have all but eliminated the usability of third-party cookies. That has marketers scrambling to find other ways of gaining insight into our online shopping habits.
 
Safari blocking cookies
 
Apple’s Safari browser can block both cookies and cross-site tracking
 
Google recently announced plans to start blocking cookies in its Chrome browser in 2023. As an alternative to cookies, Google plans to introduce an interest-tracking system called Topics.
 
Google says Topics will work like so: “…a user’s browser determines a handful of topics such ‘Beauty & Fitness’ or ‘Running & Walking’ that represent their top interests for the previous week based on their browsing activity. When a user visits a participating site, the API will share up to three topics—one from each of the past three weeks—with websites and their advertising partners, who can use it as one of many potential signals for interest-based advertising.” 
 
If Google successfully replaces cookies with Topics, you can bet others will follow suit. They’ll have no choice. 
 
But at least for now, Topics benefits only Google and the marketers who pay Google for advertising. If cookies go away, everyone else will need to either institute a similar feature or pay a company that already has one. 
 
That’s just the way the cookie crumbles.
 
Back to top