DEV Community

Cover image for What is a cookie, and what are they used for?
Ezinne Anne😎👩🏿‍💻
Ezinne Anne😎👩🏿‍💻

Posted on • Originally published at Medium

What is a cookie, and what are they used for?

If you are reading this, you are probably wondering what a cookie is. First, this cookie is not edible. It is a programming word, and it was derived from the actual name of the “edible cookie.” It is popularly known as “internet cookies” or “computer cookies.”

texts informing visitors on a site about cookies

What is a cookie?

Cookies are texts in a file stored in a web browser. The web server of the site you are on creates them. So they can store your information if you are visiting the site for the first time. Next time, if you visit the same site. Their web server will retrieve the cookies to serve you a personalized page. The web server uses your cookie information to track the content that should be served to you. Cookies may contain information like your login details or your last saved operation.

Why is it called a cookie?

According to Wikipedia, Cookie as a programming word was first created by a Netscape employee, Lou Montelli. He got the idea from “magic cookies.” This is a programming term for data programs that were not altered. The name “magic cookie” was gotten from a fortune cookie that had a message attached to it.

That was how “cookie” became a programming word.

What are cookies used for?

  • Cookies are used to store a set of strings that are unique to every user on the site. That way, they can record their operations on the site.

  • Cookies are used to provide a customized experience for every user. Each user gets a personalized experience of the site using cookies. That way, when a user wants to log in, their username and password could pop up.

  • Cookies are also used to track a user’s operations on a site. Most shopping sites use cookies that can track their users’ activities on their sites. So they make recommendations based on their users’ past operations.

  • Cookies are used to authenticate users and determine if they are humans. Some sites analyze the cookie information on their users’ browsers when they want to log in. That way, they can confirm if it’s a bot or a human.

  • Cookies are used to tailor the specific functionality that should be rendered to a user, but they are also used to access user privacy. You could choose to accept cookies or not. But not accepting them would limit the site’s functionality. Some websites deny you access when you refuse to accept their cookies.

Types of cookies

There are two types of cookies based on their usage: first-party cookies and third-party cookies.

First-party cookies are cookies made by the website you are on. Unless the site you are on is a spammy site, first-party cookies are safer.

While

Third-party cookies are cookies made by third-party sites for the primary site. These third-party sites display ads on the primary site with cookies to track users.

Security concerns about cookies

When people found out cookies were used to track users’ activities on the sites. Some did not accept it. Some countries have introduced laws to keep cookies in check. These laws such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CPA) require websites to obtain permission from their users before using cookies and to provide information on how they use these cookies. Hence the “accept cookies” on many sites.

Cookies are saved in your browser, but this means an attacker could access your browsing data, including your cookies, and use the information to launch an attack. An attacker could inject malicious text to grant them access. They could inject a different text in a login cookie to redirect a user to a similar website and get access to their private information.

That is why security researchers always urge users to clear their browsing data and history, especially when they are on a site that could spam them.

Summary

Internet cookies were created to enhance the browsing experience of site visitors. Cookies are harmless, and both reputable and non-reputable sites use them. Attackers can use cookies to gain unauthorized access to a site.

Always endeavour to clear your browsing data, especially if you are on a site with too many ads or a spammy site. To clear your browsing data, check out this article on how to clear your browsing data in any browser.

Top comments (18)

Collapse
 
cubiclesocial profile image
cubiclesocial

Two things not addressed in the article:

  1. Web browsers have limits on the size and total number of cookies. They are not a panacea for storing vast amounts of information and, once set, are sent with every web request to a server (even for static assets like JS and CSS files). Typically the limit is around 4-8KB of data before the browser refuses to set new cookies. That can and does cause all kinds of problems in the application that expects cookie setting to work normally.

  2. Deleting all cookies and localStorage entries is not really desirable for most users mostly because it requires digging around in the web browser settings dialog and then the user has to re-login to the websites they want to use. I've guided users through the process and it takes some hand holding to get them to the right place and delete just the cookies that need to be deleted (rather than blanket deletion of everything). It is better if tracking cookies are never set in the first place by blocking the requests to known advertising and stats servers. Extensions like uBlock Origin (ad blocker) and Ghostery (general tracker blocker which happens to block some ads too) stop originating requests without being too onerous and stopping first-party cookies from working as intended. Can someone still be tracked? Perhaps. But it is a lot harder when Google Analytics, other common analytics tools, and ad server contact attempts are being refused at the source. Ghostery even recently added automatic cookie policy dialog handling to their extension.

I see some people in the comments were tricked into viewing this Dev.to post by clicking on the header. Devs are generally more resilient than regular users. So on a related note to that aspect of this post, one of the most devious bits of advertising I run into is a site like getpaint.net whose purpose is to distribute a specific piece of software (Paint.net). If you visit getpaint.net without an ad blocker, the site will show ads that will almost certainly trick the user into starting a download of malware with a big green "Download now" button. The real download location is accessed via a simple hyperlink. I'm sure that displaying ads brings in some revenue for the author of that fairly popular software product but the method of getting a few bucks for showing some ads is being usurped by "drive by malware" authors. When providing a binary download intended to be run by the user, the number of ads delivered by a general-purpose ad platform should be ZERO. As in, no ads anywhere that could be used by bad actors to deploy malware.

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

This is great, maybe you can write on it and add the info.

Collapse
 
thinkverse profile image
Kim Hallberg

Seems I wasn’t the only one tricked by the feature image, good one. 👍 Clicked that multiple times wondering why it wouldn’t go away. 😂

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

😂🌚

Collapse
 
nekio profile image
NEKIO 💙

i hate you, i clicked it

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

Oops sorry

Collapse
 
dpkreativ profile image
Divine Orji

Very nice and concise! Thanks for explaining this

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

Thank you for reading

Collapse
 
dhruvjoshi9 profile image
Dhruv Joshi

Nice!

Collapse
 
sunriseonuoha profile image
sunriseonuoha

apt..

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

Thank you

Collapse
 
suharyadi2112 profile image
Suharxxxx

nice

Collapse
 
zt4ff_1 profile image
Kayode

I got tricked :)
The featured image tricked me into clicking "Got it".

Nice article btw! Thanks for sharing.

Collapse
 
ezinne_anne profile image
Ezinne Anne😎👩🏿‍💻

Thank you

Collapse
 
altafbazaz7 profile image
Mohammad Altaf Bazaz

I have integrated AWS Cognito Identity JS into a custom UI with all sign in / forgot password / sign out functionality. But now i want to log in to the dashboard by logging in from a different domain and not from the domain where my website is hosted. I am using AWS Cognito but because of limited resources i am not able to find a feasible solution. In my domain where i have hosted my website i a able to login by setting all tokens onto local storage and if there is any object in local storage i am navigating my user to dashboard. My dashboard is a protected route.

Collapse
 
moazamdev profile image
Moazam Ali

I also tricked, and clicked "got it" 😂

Collapse
 
heymich profile image
Michael Hungbo

🤣

Collapse
 
moazamdev profile image
Moazam Ali

Thanks for the knowledge, but I have question.

Can we restrict websites for creating cookies of our data by using the brave browser instead of chrome browser?