A Comprehensive Guide to Browser Cookie

Cookie 101: A Comprehensive Guide to Browser Cookie

Webpages have no in-built memory. When accessed without cookies, a website treats users like a new one every next session. Here comes cookie(s) to rescue. A cookie(s) is defined as a small amount of data that hitchhikes with a website when a user runs a search on a browser. The browser downloads this data received from the server and stores it locally as a source of memory.

Cookies collect minor to major details that a user provides in the form fields and creates while browsing a website. It can range from login and password to items in the shopping cart. When the same user revisits the website, the server retrieves this cookie(s) and sends a customised version of the website, accompanied by modified cookies. For its capacity to remember users' activity on a website, it is also referred to as the memory of the internet.

browser-cookies

A cookie is also called a web cookie, browser cookie, HTTP cookie. It was developed by Lou Montulli for an e-commerce company, MCI, as an alternative for its servers not to have to retain incomplete transaction states.

A cookie’s capacity to store personal information asks for consistent confidentiality and authenticity maintenance. Else, cookies can trigger security threats.

What do cookies do?

Cookies serve the purpose of personalising the website experience. For profiling purposes, a website asks users for personal information like name, email, password, contact details, etc.

Cookies bundle the provided information in form of name-value pairs, unique to a user and respective website. It’s important to note that no website can check the cookie created by another website.

When the user requests the same domain again, the browser exchanges the name-value pairs with the network server. The server retrieves the cookie and returns a customised website experience to the user.

cookies-works

What is a cookie policy?

A cookie policy can either be a part of a privacy policy or published as a stand-alone section of a website. Recent data protection regulations like the European GDPR and the Californian CCPA have made cookie policy a legal necessity to have on the website. A cookie policy is a declaration to visitors on a website, what data they track, purposes behind it, third parties involved, and location to where data is sent.

Why websites ask us to accept third-party cookies:

Websites owners see websites as a source of revenue, and by selling visitor's data to third parties, they generate revenue from ads. Acceptance to third-party cookies gives a site the right to sell a user’s browsing traits to a data aggregator.

What if a user does not accept cookies?

Users can either opt-in or opt-out of cookies, based on their convenience. User’s refusal of a site’s cookie consent deters the site’s ability to work as intended. Most websites don't allow users to access their content if they do not accept the cookie policy.

How to check cookies used by a website?

Cookies used by a website can be manually accessed using browser settings.

For example, in Google Chrome,

  • Open Developer Tools by pressing F12
  • In Developer Tools, choose the Application tab
  • In the left dropdown, double-click the Cookies section

This should show the website domain (or subdomain). If there are other domains in the list, these are third parties. Instructions vary with browsers.

Alternatively, cookie scanners like CookieServe.com and Cookie-script.com are free online cookie checkers that scan a URL and present a detailed report of cookies used by a website and their purpose.

Types of Cookies

Based on the characteristics of cookies, cookies are divided into the following type:

  • Necessary & non-necessary cookies serve different purposes. Necessary cookies comprise the ones in absence of which the website will not function as intended. Non-necessary cookies comprise the ones that are additional and do not contribute to the functioning of the website.
  • First-party cookies enhance the site navigation experience of a user. Websites owners make use of first-party cookies to remember user preferences like language, font, settings, among other preferences. First-party cookies are set by the website a user visits.
  • Third-party cookies originate from the domains of third parties that place cookies on the primary website with an intent to track visitors across sites and serve digital advertisements. Third-party cookies are mostly hosted by servers of social media sites or advertising agencies.
  • Session cookies expire with the end of a browsing session and any information put in by the user is forgotten. A website identifies a user with the help of session cookies. Session cookies are temporary cookies and serve the purpose of preventing re-login prompts within the pages of the website.
  • Persistent cookies have a relatively long life. These cookies die at their set expiration date. Persistent cookies make website navigation faster, better, and convenient. The main purpose of persistent cookies is to remember personal information, site preferences, settings, and sign-in credentials specific to the user.

Third-party cookies: the double-edged sword

Third-party cookies cut both ways. It has its ugly and beautiful side.

  • Beautiful Side: If the web is free, third-party cookies need special applause. Forget for a second its ability to track across sites and create a virtual profile of users. We should thank third-party cookies for displaying only relevant ads. If it's gone, we shall move back to times of tasteless and irrelevant advertising.
  • Ugly Side: Third-party cookies raise a huge privacy challenge for users. In absence of cookie consent, personal data is often collected without the consent of users. Third parties make use of trackers for cross-site tracking. Trackers can rack up a user’s data collected from a single source and combine it with other websites for profiling or behavioural targeting. Trackers make it easy to decode a history of websites a user has visited, for what duration, and in what order. It’s also possible to use the racked up data for drawing browsing traits that can range from demographic information to political affiliations.

Methods of Cookie theft and hijacking

●     Network Threat

Authentication information stored in a cookie exists in server-specific format. A network threat occurs when a hacker intercepts a cookie being shared over unencrypted channels and replays (spoofs) it to impersonate a user.

●     End-system Threat

End-system threats occur when an attacker gets access to cookies stored in a user’s local memory. Since cookies on a computer exist in clear text format, an attacker can either copy or alter the contents of the cookies to impersonate the user.

●     Cookie Harvesting

Cookie harvesting is also called cookie stuffing and cookie recycling. Cookie harvesting attacks come into existence when a hacker impersonates a legitimate site with the intent of harvesting cookies from the users. Once an attacker gets his hands on harvested cookies, he can insert, delete, or misattribute cookies thereby falsifying users’ cookies generated on prior sessions.

●     CNAME Cloaking

Another privacy concern of the same calibre is CNAME Cloaking. CNAME Cloaking disguises the third-party trackers as first-party trackers and bypasses the distinctive line between first- and third-party cookies by mapping a subdomain, giving it control over first-party cookies.

Regulatory Laws on Cookies

The Cookie Law is a piece of Privacy Legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet.  Almost all websites use Cookies as defined earlier in the blog basically little data files to store information in people’s web browsers.  Some websites contain hundreds of such little files.

There are various laws governing the Cookies depending upon the country.  However, the main ones are from EU GDPR and EU ePrivacy Directive as well as from UK PECR and UK DPA 2018.

●     EU GDPR

A EU GDPR Compliant cookie policy informs the visitor/users of what data the website collects, what purposes this data is used for, which third party the data is shared with, who is the provider of the cookies, how the website stores the data and ensure its protection and how users/visitors may access, migrate, request rectification or erasure of their data to the website.

●     EU ePrivacy Directive

The EU ePrivacy Directive is a set of rules for data protection and privacy in the European Union.  The full official name for its is “Privacy and Electronics Communication Directive 2002/58/EC.

It regulates cookie usage, email marketing, data minimization and other aspects of data privacy.

The ePrivacy Directive requires that a website a user’s/visitor’s consent before storing cookies in the user’s/visitor’s browser except for strictly necessary cookies.  User’s/Visitor’s also have to be informed of the Cookies general purpose before they provide consent.  This applies to both first party cookies and 3rd party cookies.

Because of the ePrivacy Directive, cookie banners appear on many websites allowing users to opt in to cookie usage.

 

Leave a Reply

Your email address will not be published. Required fields are marked *