As much as I’d love to, we’re not here to talk about baked goods. Cookies are commonly used on websites and an essential component of the modern-day internet. However, they can pose a risk to your privacy and personal information.
In today’s post we’re going to explore what cookies are, why websites use them, how they work in your browser, and how to mitigate risk. Let’s dig in!
Contents:
- What is a cookie?
- How do cookies work?
- Why do websites use cookies?
- What are the different types of cookies?
- Is it bad to delete internet cookies?
- Can cookies be harmful?
- What about cookie stuffing?
- When is Google ending cookie support?
What is a cookie?
In the simplest of terms, a cookie is a small piece of data that is stored on your computer or mobile device whenever you visit a website. These tiny pieces of data are stored as a text file and used to help a website remember information about you — for example, your browsing preferences or login information.
Any data that is stored in a cookie is created by the web server whenever you visit a site. It’s labeled with a unique identifier that helps the server and website know what information to serve to you.
How do cookies work?
When you visit a domain, the web server sends a cookie to your device or computer which is then stored by your browser. Every time you visit that domain, your browser passes that same cookie back to the server to identify you. It then delivers an experience tailored to your previous browsing history.
Why do websites use cookies?
Cookies are used by websites for a number of reasons.
- Personalization: Cookies help a website remember your personal information and provide experiences based on your preferences. For example: a website might store a cookie to remember that your preferred language is Spanish and automatically deliver Spanish content whenever you visit the domain.
- Convenience: Enabling cookies can make it easier for users to access accounts. For example, a website might store a cookie with your login information so you don’t need to enter your credentials every time you go to the site.
- Tracking: Marketers and webmasters often use cookies to track and analyze how many users navigate to different pages and interact with the domain. Often, this information is then used to enhance the website’s performance or understand user behavior.
- Targeted Ads: Cookies are often used to display ads based on browsing history. For example, if you visit a website to research an upcoming family cruise vacation, a cookie might be used to show you ads for cruise ships on other websites.
But not all cookies are created equal. Let’s examine the differences between them.
What are the different types of cookies?
There are two common types of cookies that websites use: persistent cookies and session cookies.
Persistent cookies
A persistent cookie is used for authentication and to personalize your browsing experience. These cookies contain information about sign-on credentials, settings, theme selections, and language preferences.
Remember that time when you came back to Amazon to complete your shopping and saw old items still in your cart? That’s a great example of how a website might store information about your browsing history in a persistent cookie and retrieve it for you at a later date.
Session cookies
A session cookie is created by the web server and used to store information about your browsing session. Also known as non-persistent cookies or transient cookies, these server-specific cookies are stored in a temporary memory location instead of a location on your device. Unlike persistent cookies, session cookies are deleted as soon as your session is done.
As soon as you launch a web app or website, your browsing session starts and a session cookie is created by the server. This session cookie stores details about your movements around the website and tracks user inputs. As soon as your session ends, the session cookie is removed from your device.
Is it bad to delete internet cookies?
Bad? No. But it may impact your experience when browsing a site as it may not remember your preferences.
Having said that, you do have the ability to manage and delete cookies using the guides below. I’ve organized them by browser.
Can cookies be harmful?
The data in cookies themselves aren’t harmful — and they can’t infect a system or website with malware. However, if the cookie data falls into the wrong hands, attackers may be able to access browsing sessions, steal personal information, or otherwise abuse your cookie data.
In some cases, attackers even use cookies to send instructions or commands to website backdoors. We actually documented a case of fake malicious cookies in which an attacker stole active cookies and hijacked the user’s session to masquerade as them. This granted the attacker access to perform any available admin actions.
Imagine stealing the keys and ID of a Brinks truck driver and walking into a jewelry store to “transport” (read “steal”) valuables. Dangerous stuff.
Having said that, most online accounts will automatically log users out after a certain inactivity period. If you’re an administrator or someone with sensitive access, I would log out of sessions and clear your cookies regularly.
And if you’re a website owner, we highly recommend frequent audit checks of your code to ensure an intrusion like this doesn’t impact your visitors.
What about cookie stuffing?
On the topic of cookies, it’s also worth mentioning cookie stuffing. This black hat technique is used by attackers to inject hidden iframes with affiliate links.
So, imagine for a moment that your website is compromised. You may (or may not) notice that an attacker is loading iframes that open webpages for Amazon or other third party services. When regular visitors see your hacked web pages, they’ll likely not realize that in the background cookies from unexpected ecommerce websites are being loaded in their browser. And if the user ends up making a purchase later on, the attackers will receive affiliate revenue from the conversion.
Should I allow cookies from all the websites I visit?
As mentioned before, allowing cookies can greatly improve the browsing experience through a site; especially ones that you visit often. However, as data privacy continues to remain in the spotlight in the current online landscape, more and more sites are requesting consent to use. Especially since GDPR came into effect.
To help those struggling to capture the benefits, we have compiled a short list describing the pros and cons of cookies:
Pros
- Online shopping experience: Almost all eCommerce websites allow you to put items in a cart, leave the page, and return to resume shopping with your cart intact.
- Form submissions: Cookies can remember submitted information such as names and other fields on a form. It can save you valuable time when entering a live chat with your hosting support.
- Personalization: Cookies can also help store language preferences and currency preferences as well.
- Suggested content: You can see this occur on shopping sites with a “Related Searches” feature. It relies on cookies to collect data, cross reference it with other users who have a similar profile, then make its recommendations.
- Security authentication: When entering a session, this allows web servers to know whether a user is logged in. If you don’t allow cookies, websites will never remember that you’re logged in.
Cons
- Privacy: Most browsers are set to accept cookies by default. As a result, cookies are stored “invisibly” on your local machine every time you browse the internet. As a result, your browsing history and IP address become public knowledge.
- Local storage: These “little” website cookies are actual files stored on your hard drive. The more you visit, the more that is stored. As it builds over time, it can take up quite a bit of storage space on your computer/mobile device.
- Unauthorized data collection: Websites may sell the information collected from cookies to third parties or use it to hack into social networks or other online accounts.
When is Google ending support of third-party cookies in Chrome?
Google has announced their plan to phase out all third-party cookies for chromium browsers by 2024.
But cookies are not the only tracking technology, however. So while banning third-party cookies is helpful, there are workarounds that are already being exploited on browsers that already ban third-party cookies. A few are ultrasound beacons, Silverlight Isolated Storage, IndexedDB, pixel tags, and HTML5 Local Storage.
Conclusion
As you can see, there are definitely benefits to accepting website cookies – and a few drawbacks as well. Data privacy is a big topic within the current security landscape. So, don’t hesitate to do a regular purge of cookies from your web browsers with the guides listed above.
On that note, I think I’ll go ahead and purge the cookies from my kitchen pantry.