A cookie is a small piece of information stored in the client's computer by a particular website via a web browser. They are used to personalize a user's experience on the particular website. It usually contains the user's preferences and inputs. A user can customize their web browser to accept, reject or delete cookies. Cookies can be modified at the server level by using the
Set-Cookie HTTP header. It can be modified at the client level by using
There are two types of cookies - First Party Cookies and Third Party Cookies. First Party cookies, as the name says, are the cookies used by the website you are surfing to improve user experience. Third Party cookies are the cookies which are used by third-party services to improve the user experience, these are mostly advert companies, which improve user experience, like Google Ads which suggests you proper websites in its search ranking.
Cookies are not stored as code on the user's machine, it is rather stored as simple files, which cannot be executed. Stored cookies cannot even manipulate the elements of your screen, it can't even access your mic or webcam. The only worry about cookies is thier system of allowing data(preferences) to be sent to the server without anybody noticing.
- When you turn on the dark mode on YouTube, it would be stored in the cookies and would be sent back via a POST request as soon as you change the color mode. After that when you perform a consequent GET request to the YouTube server, it would return you the YouTube web page and the cookies populated with your preferences, this improves user experience as the user does not need to change the color mode on consequent visits to the particular website.
- When you log into a website on a device, an encrypted unique token is stored in the cookie which keeps you logged in the website everytime you open the website.
- Cookies are used to store the items in the shopping cart in an ecommerce website, they improve user experience as when you visit the website consequent times, you would not need to re-fill your cart with the items you had selected in the last session.
- You(as a developer) should never store sensitive information, like login information, in cookies as a hacker can perform XSS attacks or Session hijacking at1tacks to retrieve the cookies, which would cause loss of privacy of the sensitive information.
- If a hacker steals your cookie on a specific website via some attack(like XSS), the attacked can use your cookie to pretend to be you on that specific website and he might do harm to your privacy.
In very rare cases, some ads might also access your camera if you allow to, or access it directly if you have allowed the main website to access your webcam. The advertising companies would then capture your facial expressions while watching a video add and determine whether you were happy or sad while watching it and then use the data for marketing. This can happen in very rare cases, research on this type of technology is being done at MIT Media Labs.
Users should be given the right to opt in for first-party cookies and just opt out for the third-party ones, but this gets very complex(from a developer perspective) and also it is very difficult to present to the user.