Cookie 101: A Comprehensive Guide to Browser Cookie
Webpages have no in-built memory. When accessed without cookies, a website treats users like a new one every next session. Here comes cookie(s) to rescue. A cookie(s) is defined as a small amount of data that hitchhikes with a website when a user runs a search on a browser. The browser downloads this data received from the server and stores it locally as a source of memory.
Cookies collect minor to major details that a user provides in the form fields and creates while browsing a website. It can range from login and password to items in the shopping cart. When the same user revisits the website, the server retrieves this cookie(s) and sends a customised version of the website, accompanied by modified cookies. For its capacity to remember users' activity on a website, it is also referred to as the memory of the internet.
A cookie is also called a web cookie, browser cookie, HTTP cookie. It was developed by Lou Montulli for an e-commerce company, MCI, as an alternative for its servers not to have to retain incomplete transaction states.
A cookie’s capacity to store personal information asks for consistent confidentiality and authenticity maintenance. Else, cookies can trigger security threats.
What do cookies do?
Cookies serve the purpose of personalising the website experience. For profiling purposes, a website asks users for personal information like name, email, password, contact details, etc.
Cookies bundle the provided information in form of name-value pairs, unique to a user and respective website. It’s important to note that no website can check the cookie created by another website.
When the user requests the same domain again, the browser exchanges the name-value pairs with the network server. The server retrieves the cookie and returns a customised website experience to the user.
Why websites ask us to accept third-party cookies:
Websites owners see websites as a source of revenue, and by selling visitor's data to third parties, they generate revenue from ads. Acceptance to third-party cookies gives a site the right to sell a user’s browsing traits to a data aggregator.
What if a user does not accept cookies?
How to check cookies used by a website?
Cookies used by a website can be manually accessed using browser settings.
For example, in Google Chrome,
- Open Developer Tools by pressing F12
- In Developer Tools, choose the Application tab
- In the left dropdown, double-click the Cookies section
This should show the website domain (or subdomain). If there are other domains in the list, these are third parties. Instructions vary with browsers.
Alternatively, cookie scanners like CookieServe.com and Cookie-script.com are free online cookie checkers that scan a URL and present a detailed report of cookies used by a website and their purpose.
Types of Cookies
Based on the characteristics of cookies, cookies are divided into the following type:
- Necessary & non-necessary cookies serve different purposes. Necessary cookies comprise the ones in absence of which the website will not function as intended. Non-necessary cookies comprise the ones that are additional and do not contribute to the functioning of the website.
- First-party cookies enhance the site navigation experience of a user. Websites owners make use of first-party cookies to remember user preferences like language, font, settings, among other preferences. First-party cookies are set by the website a user visits.
- Third-party cookies originate from the domains of third parties that place cookies on the primary website with an intent to track visitors across sites and serve digital advertisements. Third-party cookies are mostly hosted by servers of social media sites or advertising agencies.
- Session cookies expire with the end of a browsing session and any information put in by the user is forgotten. A website identifies a user with the help of session cookies. Session cookies are temporary cookies and serve the purpose of preventing re-login prompts within the pages of the website.
- Persistent cookies have a relatively long life. These cookies die at their set expiration date. Persistent cookies make website navigation faster, better, and convenient. The main purpose of persistent cookies is to remember personal information, site preferences, settings, and sign-in credentials specific to the user.
Third-party cookies: the double-edged sword
Third-party cookies cut both ways. It has its ugly and beautiful side.
- Beautiful Side: If the web is free, third-party cookies need special applause. Forget for a second its ability to track across sites and create a virtual profile of users. We should thank third-party cookies for displaying only relevant ads. If it's gone, we shall move back to times of tasteless and irrelevant advertising.
- Ugly Side: Third-party cookies raise a huge privacy challenge for users. In absence of cookie consent, personal data is often collected without the consent of users. Third parties make use of trackers for cross-site tracking. Trackers can rack up a user’s data collected from a single source and combine it with other websites for profiling or behavioural targeting. Trackers make it easy to decode a history of websites a user has visited, for what duration, and in what order. It’s also possible to use the racked up data for drawing browsing traits that can range from demographic information to political affiliations.
Methods of Cookie theft and hijacking
● Network Threat
Authentication information stored in a cookie exists in server-specific format. A network threat occurs when a hacker intercepts a cookie being shared over unencrypted channels and replays (spoofs) it to impersonate a user.
● End-system Threat
End-system threats occur when an attacker gets access to cookies stored in a user’s local memory. Since cookies on a computer exist in clear text format, an attacker can either copy or alter the contents of the cookies to impersonate the user.
● Cookie Harvesting
Cookie harvesting is also called cookie stuffing and cookie recycling. Cookie harvesting attacks come into existence when a hacker impersonates a legitimate site with the intent of harvesting cookies from the users. Once an attacker gets his hands on harvested cookies, he can insert, delete, or misattribute cookies thereby falsifying users’ cookies generated on prior sessions.
● CNAME Cloaking
Another privacy concern of the same calibre is CNAME Cloaking. CNAME Cloaking disguises the third-party trackers as first-party trackers and bypasses the distinctive line between first- and third-party cookies by mapping a subdomain, giving it control over first-party cookies.
Regulatory Laws on Cookies
There are various laws governing the Cookies depending upon the country. However, the main ones are from EU GDPR and EU ePrivacy Directive as well as from UK PECR and UK DPA 2018.
● EU GDPR
● EU ePrivacy Directive
The EU ePrivacy Directive is a set of rules for data protection and privacy in the European Union. The full official name for its is “Privacy and Electronics Communication Directive 2002/58/EC.
It regulates cookie usage, email marketing, data minimization and other aspects of data privacy.
The ePrivacy Directive requires that a website a user’s/visitor’s consent before storing cookies in the user’s/visitor’s browser except for strictly necessary cookies. User’s/Visitor’s also have to be informed of the Cookies general purpose before they provide consent. This applies to both first party cookies and 3rd party cookies.
Because of the ePrivacy Directive, cookie banners appear on many websites allowing users to opt in to cookie usage.