DEV Community

Dhilip kumar
Dhilip kumar

Posted on

The Spooky tracker

The Spooky tracker

Screenshot 2021-08-07 at 6.28.08 PM

Hey there!

Have you ever wondered,

"Damn how does this website know what did I shop/search/view?"

yeah you are not alone.


"An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server."

The HTTP calls are stateless. Say if you want to inform who the logged in user is to the server, the cookie is the preferred way to go which gets set and sent in every request. And this is just one application for which cookies were created but they have been used for more than just retaining the logged in user's information.

In the above case, the cookie are set by the same domain in which the user is logged in, and these are called as 1st party cookies.These are essential cookies for the website to function smoothly.

More about cookies:

  • Cookies are sent along with every request from the domain in the request header once set.
  • We can even have a cookie which can't be read by javascript but gets attached to every request httponly flag.
  • Each cookie can have its own expiry. (Expiry on client)
  • It is possible to restrict the cookie sent to Cross Origin with the help of same-site property (more about this later)

Enough, tell me how do they track already!

Enter 3rd party cookies:

Third party cookies are cookies that are not set by the domain that you are in, but by another domain. And these third party cookies are responsible for providing us with the "PERSONALISED" content aka "the spooky how does it know what I like cookie".

Let's go over a scenario:

Say you are searching for answer for "how to centre a div" in, you'll notice that the other 3rd party domains such as,,, also bakes their cookie into the browser while you are still in stackoverflow. This could be as simple as stackoverflow trying to provide the user with the ability to sign the user in with the help of a small banner with embedded login buttons provided by these other domains.

Alt Text

Or it might want to show some ads from these domains etc.

Now, when you are done looking for your answers and you move on and fix the issue with CSS. Now, these other third party domains will have knowledge that your css skill is not so great.

Just kidding, but they know that you are some one who might be interested in CSS.

Once you are done with your work and want to surf a bit on facebook to check what your friends are upto / memes. Now you will log yourself into facebook and now when you do so, the cookie set by facebook while you were in stackoverflow will also gets attached to the request. So the fb server now says, "okay you were the one who was searching for centering the div, let me do you a favour by pitching you some of the good books/ udemy courses to read more about CSS" and voila there you have the ads, the TARGETED, PERSONAL ads in the feed.

The same scene will apply to multiple other websites that uses google ads, as the cookie is already set in stackoverflow for, when you go to any website which uses google ads, these cookie will automatically gets shared with requests and when the advertisement banner loads it would be totally targeting your interests to gain the click.

You don't want this to happen?

Then please don't be in a hurry to blindly click on this "Agree" button on the annoying banner on most websites.

Alt Text

"The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area that aim to enhance individuals' control and rights over their personal data." - Wikipedia

With the introduction of GDPR, the websites had a mandate to show the users why each cookies are needed to be set and what purpose do they serve and also provides the user with an option to opt out of it if you don't need. So you might be tilted towards thinking,

"let me disable third party cookies in the website altogether for all websites and then I should be out of this tracking hell!"

Sure you can do that but still... you can be tracked. Find out how in my next blog.
Signing off for now.

Discussion (0)