If you are reading this, you are probably wondering what a cookie is. First, this cookie is not edible. It is a programming word, and it was derived from the actual name of the โedible cookie.โ It is popularly known as โinternet cookiesโ or โcomputer cookies.โ
What is a cookie?
Cookies are texts in a file stored in a web browser. The web server of the site you are on creates them. So they can store your information if you are visiting the site for the first time. Next time, if you visit the same site. Their web server will retrieve the cookies to serve you a personalized page. The web server uses your cookie information to track the content that should be served to you. Cookies may contain information like your login details or your last saved operation.
Why is it called a cookie?
According to Wikipedia, Cookie as a programming word was first created by a Netscape employee, Lou Montelli. He got the idea from โmagic cookies.โ This is a programming term for data programs that were not altered. The name โmagic cookieโ was gotten from a fortune cookie that had a message attached to it.
That was how โcookieโ became a programming word.
What are cookies used for?
Cookies are used to store a set of strings that are unique to every user on the site. That way, they can record their operations on the site.
Cookies are used to provide a customized experience for every user. Each user gets a personalized experience of the site using cookies. That way, when a user wants to log in, their username and password could pop up.
Cookies are also used to track a userโs operations on a site. Most shopping sites use cookies that can track their usersโ activities on their sites. So they make recommendations based on their usersโ past operations.
Cookies are used to authenticate users and determine if they are humans. Some sites analyze the cookie information on their usersโ browsers when they want to log in. That way, they can confirm if itโs a bot or a human.
Cookies are used to tailor the specific functionality that should be rendered to a user, but they are also used to access user privacy. You could choose to accept cookies or not. But not accepting them would limit the siteโs functionality. Some websites deny you access when you refuse to accept their cookies.
Types of cookies
There are two types of cookies based on their usage: first-party cookies and third-party cookies.
First-party cookies are cookies made by the website you are on. Unless the site you are on is a spammy site, first-party cookies are safer.
While
Third-party cookies are cookies made by third-party sites for the primary site. These third-party sites display ads on the primary site with cookies to track users.
Security concerns about cookies
When people found out cookies were used to track usersโ activities on the sites. Some did not accept it. Some countries have introduced laws to keep cookies in check. These laws such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CPA) require websites to obtain permission from their users before using cookies and to provide information on how they use these cookies. Hence the โaccept cookiesโ on many sites.
Cookies are saved in your browser, but this means an attacker could access your browsing data, including your cookies, and use the information to launch an attack. An attacker could inject malicious text to grant them access. They could inject a different text in a login cookie to redirect a user to a similar website and get access to their private information.
That is why security researchers always urge users to clear their browsing data and history, especially when they are on a site that could spam them.
Summary
Internet cookies were created to enhance the browsing experience of site visitors. Cookies are harmless, and both reputable and non-reputable sites use them. Attackers can use cookies to gain unauthorized access to a site.
Always endeavour to clear your browsing data, especially if you are on a site with too many ads or a spammy site. To clear your browsing data, check out this article on how to clear your browsing data in any browser.
Top comments (18)
Two things not addressed in the article:
Web browsers have limits on the size and total number of cookies. They are not a panacea for storing vast amounts of information and, once set, are sent with every web request to a server (even for static assets like JS and CSS files). Typically the limit is around 4-8KB of data before the browser refuses to set new cookies. That can and does cause all kinds of problems in the application that expects cookie setting to work normally.
Deleting all cookies and localStorage entries is not really desirable for most users mostly because it requires digging around in the web browser settings dialog and then the user has to re-login to the websites they want to use. I've guided users through the process and it takes some hand holding to get them to the right place and delete just the cookies that need to be deleted (rather than blanket deletion of everything). It is better if tracking cookies are never set in the first place by blocking the requests to known advertising and stats servers. Extensions like uBlock Origin (ad blocker) and Ghostery (general tracker blocker which happens to block some ads too) stop originating requests without being too onerous and stopping first-party cookies from working as intended. Can someone still be tracked? Perhaps. But it is a lot harder when Google Analytics, other common analytics tools, and ad server contact attempts are being refused at the source. Ghostery even recently added automatic cookie policy dialog handling to their extension.
I see some people in the comments were tricked into viewing this Dev.to post by clicking on the header. Devs are generally more resilient than regular users. So on a related note to that aspect of this post, one of the most devious bits of advertising I run into is a site like getpaint.net whose purpose is to distribute a specific piece of software (Paint.net). If you visit getpaint.net without an ad blocker, the site will show ads that will almost certainly trick the user into starting a download of malware with a big green "Download now" button. The real download location is accessed via a simple hyperlink. I'm sure that displaying ads brings in some revenue for the author of that fairly popular software product but the method of getting a few bucks for showing some ads is being usurped by "drive by malware" authors. When providing a binary download intended to be run by the user, the number of ads delivered by a general-purpose ad platform should be ZERO. As in, no ads anywhere that could be used by bad actors to deploy malware.
This is great, maybe you can write on it and add the info.
Seems I wasnโt the only one tricked by the feature image, good one. ๐ Clicked that multiple times wondering why it wouldnโt go away. ๐
๐๐
i hate you, i clicked it
Oops sorry
Very nice and concise! Thanks for explaining this
Thank you for reading
Nice!
apt..
Thank you
nice
I got tricked :)
The featured image tricked me into clicking "Got it".
Nice article btw! Thanks for sharing.
Thank you
I have integrated AWS Cognito Identity JS into a custom UI with all sign in / forgot password / sign out functionality. But now i want to log in to the dashboard by logging in from a different domain and not from the domain where my website is hosted. I am using AWS Cognito but because of limited resources i am not able to find a feasible solution. In my domain where i have hosted my website i a able to login by setting all tokens onto local storage and if there is any object in local storage i am navigating my user to dashboard. My dashboard is a protected route.
I also tricked, and clicked "got it" ๐