HTTP Cookies 101: What is it & How Does HTTP Cookies Work?

HTTP cookies remain one of the fundamental entities of the Internet that everyone making use of it is supposed to have at least a basic knowledge of it. This page has been written to open your eyes to the world of HTTP cookies.

Ultimate Guide to HTTP Cookies

It does not matter whether you’re a web developer, bot developer, or even a normal Internet user; the knowledge of Internet cookies is a must because cookies can’t be avoided entirely, but they have security and privacy invasion risks.

The knowledge of cookies will help web developers provide the best user experience and give the HTTP a stateful feel while making sure they are doing so within the confines of the law. On the other hand, Internet users need to be knowledgeable about technology in other to know how to deal with the risks associated with their usage.

Really, cookies have come to stay – and we are here to open your eyes to both the dark and bright sides associated with it. This article is an ultimate guide on the basics of cookies. In this write-up, you are going to be learning about what cookies are, how they work, the types of cookies, security and privacy implications of their usage, government laws guiding cookie usage, and how to delete them, among other things. At the end of this article, you should have basic knowledge of cookies.


HTTP browser cookies

Simply referred to as cookies, HTTP cookies, otherwise known as Internet cookies or even browser cookies, are small pieces of data in text format stored on a user’s computer by websites they visit via a web browser. Some things you need to take note of in the definition is that the data is in text format (maximum of 4KB), originates from websites, and is stored by a user’s browser.

For security purposes, web browsers have very limited access to read and write operations on your device – and in most cases, it requires you to provide it permission to do so. Cookies are some of the technologies your browser can save on your computer without your knowledge.

Cookies are stored in your browser folder or subfolder, and as such, you will most likely not come across it except you went digging into your browser program file. A typical cookie file is a text file containing name-value pairs. For example, let say you visit example.com, and then it drops a session cookie in your browser.

If you trace and open the file from your hard drive, you will see a name and value pair. For some cookies, they can contain other details. These files are mere text files and cannot cause any damage to your computer.

One thing you need to know is that browsers do not generate cookies on their own, nor do they know what they are meant for. Websites you visit generates cookies and hand them over to your browser to save. In turn, the same website requests them, and the browser hands them over to the website that generated them.

This means that HTTP cookies are tied to the websites that generate them. A website can only access cookies it generates and does not have access to cookies generated by other websites. This limitation is important and has created a separation of concern necessary for security. However, as you will discover later on in the article, cookies still have security risks.


How Does HTTP Cookies Work?

The HTTP protocol, which is the primary protocol for the web, is stateless. That is, every web request is a standalone request and has nothing to do with previous requests and responses that were sent and received before it. This makes it difficult for session management and remembering users’ preferences.

Cookie is an attempt to make a rather stateless technology stateful. And how it does this is very simple to understand (for users) and replicate (for web developers). Have you wondered why you only need to login once, and then you are allowed to keep surfing a site without asking for your username and password after every request?

Cookies make that happen. Let me explain how it happens. When you enter your username and password and then click the login button, a login request is sent. After a successful login, the web server generates a cookie and sends it alongside the response sent to your browser.

When your browser gets the response, it saves the cookie. When sending subsequent requests, it bundles the cookie alongside the requests. When the web server receives the request, it looks into it to see if a cookie is present. With the cookie, it remembers you as the person that just logged in and allowed you access without asking for your username and password again.


The Stateless Web and HTTP Cookies

HTTP Cookies server

As a web user, the above explanation might not make sense to you. If you have tried developing a web browser or at least an automation tool that needs to login and maintain a session, you will discover that without using a cookie, you cannot maintain a session or an authentication status.

This is because the login won’t be associated with your next request, and as such, you will be denied access. However, if you look at the response after login and copy the cookie and bundle, it will your subsequent request; you will be allowed to login. In fact, it might interest you to know that you can copy a cookie to another browser, and you will be instantly remembered by the server.

While the HTTP protocol has not been designed to remember previous activities, cookies have made that possible, and today, you can have a feel a brain at the other end (server) that knows your preferences and serve you content the way you want it without you setting things up every now and then.


Types of HTTP Cookies

It might interest you to know that there are many types of cookies you will encounter on the Internet. Some of them are persistent and remain even after exiting a browser or even shutting down your computer; others are deleted after your current session. Some are created by websites you are surfing; others are created by third-party services. Let take a look at these cookies and their usage.

  • Session Cookies

Session CookiesSession cookies are the cookies tied to your current session. They are also known as non-persistence cookies and in-memory cookies. Unlike regular cookies that are stored in your hard drive, session cookies are stored in your RAM and are usually deleted when you exit your browser.

There are 3 important things you need to remember about session cookies – they are saved in RAM, get deleted when a browser is closed, and tied only to a session. They are useful for remembering session-based settings. Even sites that do not have an authentication system make use of this type of cookie. With session cookies, you can set preferences for a color scheme. It is also good for navigation history, shopping carts, among others.

  • Persistent Cookies

Persistent Cookies

Unlike in the case of session cookies that get deleted after a browser is closed, persistent cookies remain until after the expiry date or a specific period of time. They are the regular cookies we talked about above – they get stored in your hard drive or storage space and not in RAM.

Usually, persistent cookies have an expiry date attached to them. These cookies are also known as tracking cookies as a site can use them for tracking one’s browsing behavior on its service overtime. Persistent cookies are used for authentication, tracking, and personalization.

  • First-party Cookies

First-party Cookies

First-party cookies are the cookies created by the sites you make use of. Take, for instance, if you visit Facebook on your browser and it drops a cookie in your browser, that cookie is known as a first-party cookie. These cookies are the most preferred and safe provided the site that drops them is reputable and has not been compromised.

  • Third-party Cookies

Some cookies are not dropped by the sites you visit but by partner web services. These cookies are known as third-party cookies. Take, for instance, when you visit a site with Google AdSense enabled, you do not get only cookies from the site dropped into your browser;

Google AdSense equally generates a cookie for you if you do not have one generated already. While the cookie by the site is first-party, that of Google AdSense is third-party. You could have an overwhelming number of third-party cookies you do not know of persistently saved on your hard drive.

Third-party Cookies

Google is not the only site that engages in dropping third-party cookies – other advertisement networks and tracking user tracking web services do that. Third-party cookies make tracking across the web possible. Take, for instance, many websites on the Internet have Google Ads powered by AdSense, and by visiting these sites, you are tracked and profiled, which makes it possible for better ad targeting.


Security Risks Associated with Cookies

Security Risks Associated with Cookies

From the above, you can tell that cookies are useful in the area of authentication, session management, preference setting, and even “good tracking.” However, cookies have security risks, you should be aware of in order to ensure your safety online. Let take a look at some of these security issues.

One of the weaknesses of cookies is how easily it can be stolen and used. Take, for instance, a skilled hacker that has access to your computer and copies cookies for a specific site and then uses it to login to your account and carry our actions even without knowing your user and password. Once a request has a cookie in it, many web servers assume it is coming from a legitimate source and provide access.

Even if a hacker does not have access to your computer, he can make use of Cross-Site Scripting (XSS) to steal your cookie. XSS is the process whereby hackers exploit sites that allow users to post unfiltered JavaScript to steal cookies. They code a cookie stealing script that once you interact with it, your cookie will be sent somewhere the hacker has access to, and from there, he can use it for his malicious intentions. To prevent access to cookies via JavaScript, websites make use of the HttpOnly attribute.

  • Cross-Site Request Forgery (CSRF)

csrf attack

Unlike in the case of the XSS above that your cookie is stolen and used, CSRF does not steal your cookie but exploit it and trick you into performing an action in sites you are logged in. take, for instance, let say you are logged into your bank website and immediately open a malicious website. This website can then trick you into clicking a link that will get you to transfer fund provided the session and cookie is still active.

  • Session Fixation

Session Fixation

Another form of cookie fraud that you could be a victim of is session or cookie fixation. In the above two, your cookie is being used to gain access to your account. In this one, your cookie is replaced with a different one – and as such, while you think the actions you are carrying out on the site are attached to your account, you are actually carrying out the actions on someone else account. Take, for instance, you are writing an exam online, and a not so bright student replace your cookie with his own, and as such, you end up writing his exams for him instead of yourself – and while he writes yours to hide any form of suspicion.

Aside from the above type of cookie frauds and security risks, there are many others, including cookie tossing attacks, cookie packing, proxy requests, and DNS cache poisoning, among others. You will do well to learn more about them on your own.


Privacy Invasion Concern

cookies Privacy Invasion Concern

One of the major issues associated with cookies is the invasion of privacy. Yes, the first-party cookies track your activity only on its originating sites – and that’s it. For third-party cookies, which are even regarded as tracking cookies, they follow you everywhere you go online, provided there is one of their component on the sites you visit. Let go back to the Google AdSense discussion.

If you visit 10 sites a day and each of these sites have Google AdSense, then Google AdSense knows all of the sites you visit and can profile you. There is a high probability of a privacy threat considering the fact that tracking is done across multiple domains using third-party cookies are not even aware of.

Browsers are partly responsible for this – they accept any cookie that comes their way – whether first-party cookies or third-party. However, some newer browser versions like Safari blocks third-party cookies by default.


You maybe like to read,


Law Governing the Use of Cookies

Even with the breach of privacy, not all nations and territories deem it fit to put laws in place to prevent their usage in cases that they could be used for privacy invasion. In fact, it might interest you to know that only a few countries have laws in place. Take, for instance; the US does not require any form of consent from sites to use cookies.

However, government websites in the US have had their share of backlash for using persistent cookies – and had to stop it.The most popular law governing the use of cookies is the EU’s General Data Protection Regulation (GDPR).

In this law, cookies are regarded as personal data that can be used to identify users, and as such, the consent of a user must be obtained before cookies can be saved on a user’s computer. The law, of course, binds only sites originating from the EU or has visitors from the EU.

When seeking consent, the consent must be granular as you cannot force users to either accept all cookies or reject them all – the user should be able to determine the cookies he wants and the ones he does not. In other to comply with the GDPR cookie law, I will advise you to read about it.


How to Delete Cookies

You need to disabuse your mind, cookies are not viruses, and as such, there is nothing your anti-virus software will do. Interestingly, you can always delete cookies you do not like from your system. The process varies depending on the browser you are using.

For this reason, you will have to search how to delete cookies for Chrome on Google – if the browser you are using is Chrome or exchange the Chrome keyword with a different browser name.

Conclusion

As a way of concluding this article, I need to iterate that cookies are not entirely bad as without them, the user experience will be bad. The only major issues are the security and privacy concern attached to them.

With the right approach to the use of cookies, the web can be a better place for both web developers and users. From the above, I expect you to have a basic understanding of the HTTP cookie technology.