A cookie is information that a website puts on a user's computer. Cookies store limited information from a web browser session on a given website that can then be retrieved in the future. They are also sometimes referred to as browser cookies, web cookies or internet cookies.
Cookies can be accessed by the browser user, the site a user is on or by a third party that might use the information for different purposes. Common use cases for cookies include session management, personalization and tracking.
Cookies first appeared in 1994 as part of the Netscape Navigator web browser. They helped the browser understand if a user had already visited a given website. Netscape developer Lou Montulli invented the initial cookie implementation. He was granted U.S. Patent No. 5,774,670A, with the description, "Persistent client state in a hypertext transfer protocol based client-server system."
Types of cookies
There are multiple types of cookies that run in modern web browsers. Different types of cookies have specific use cases to enable certain capabilities.
- HTTP cookies. This is the overall category of computer cookies used with modern web browsers to enable specific capabilities. All the cookies in this list -- except for flash cookies -- are forms of HTTP cookies.
- Session cookies. A session cookie is only persistent while the user is navigating or visiting a given website.
- Persistent cookies. Also sometimes referred to as permanent cookies, these persist for a configurable length of time or until a certain date that is set by the web server.
- First-party cookies. Also known as SameSite cookies, the cookie and information it contains is restricted to the same site on which it was set.
- Third-party cookies. These cookies are not restricted to the initial site where the cookie was created. Third-party cookies enable entities other than the original site to access them for user tracking and personalization purposes.
- Zombie cookies. This refers to a type of cookie that persists, even after the user attempts to delete it.
- Flash cookies. These are not browser or HTTP cookies but, rather, a specific type of cookie that works with Adobe Flash. With the decline in the use of Flash, these cookies are no longer widely used.
- Secure cookies. These are first- and third-party cookies that can only be sent over encrypted HTTPS connections.
Are cookies safe?
Cookies have been part of daily internet operations for decades and are generally safe. However, third-party cookies are sometimes seen as intrusive.
Third-party cookies enable entities to track user behavior in a way the user might not be aware of -- and they may infringe upon the user's privacy. Advertisers often use third-party cookies to track user activity to provide targeted ads to the user. This is a privacy concern for many who don't want to be tracked or have their browsing habits shared. Cookies that can identify users are now subject to General Data Protection Regulation and California Consumer Privacy Act regulations.
View alternatives for providing targeted advertising to internet users here.
There is also the potential for threat actors to hijack third-party cookies. This would give them access to user information and enable them to launch other attacks. These attacks include session hijacking, cross-site scripting and cross-site request forgery.
Unsecured cookies can also be a potential security risk for users and website operators. An unsecured cookie is transmitted unencrypted over HTTP to the origin website or to a third party. If the information is something simple -- such as whether the user has visited the site before -- that's a minimal risk. But some sites may use cookies to store user information -- including personally identifiable information such as authentication credentials and payment card information. If that type of information is sent unencrypted, it can be intercepted and used by a criminal. A secure cookie only enables cookie information to be sent via HTTPS and does not have the same risk.
Learn how to encrypt and secure a website using HTTPS here.
How to manage cookies
Every major web browser has a set of controls to help users configure what types of cookies to accept and delete. Cookies can be managed via user preferences.