HTTP Cookies: Fact Vs Fiction

HTTP Cookies: Fact Vs Fiction

Browser cookies are one of those technical bits of the internet that almost everyone has some awareness of. They’re also probably one of the most misunderstood aspects of browsing. Today we’re here to clear up the confusion.

When it comes to browser cookies, most users have a lot of misconceptions about what they do. Here’s a closer look at exactly what a browser cookie is, what it isn’t, and what it’s really used for.

What Are Cookies Anyway?

Cookies are nothing more than tiny bits of text stored on your PC by your web browser, containing information set by websites such as your session token, user preferences, or anything else that the website needs to keep track of you from one request to the next. Once the website has asked your browser to set the cookie, the next time your browser opens a new request to the server – clicking a link to a page, adding an item to your cart, or even loading an image – your browser will send that cookie back to the website that set the cookie.

The reason cookies exist are because the underlying HTTP protocol is stateless – each request from your browser is completely separate from the next one, so the server needs a way to keep track of what request belongs to what visitor. By storing a small bit of information in a cookie, the website can determine that your page view belongs to your user account.

There are two “categories” of cookies: either first-party or third-party cookies. (Although there’s actually no technical difference between the two.) First-party cookies are those cookies that belong to sites you actually visited in your browser, while third-party cookies, also known as tracking cookies, are generated from a Javascript included on the page – generally from third-party advertising websites.

Myth: Cookies Spy On You and Track Everything You Are Doing

As we’ve already learned, the contents of cookies are set by the website that you visited, so unless you’ve given your information to a website, there’s no way that cookies are going to contain personal information unless you’ve given that information to the site already.

Most cookies are as simple as a session token, but sometimes they contain your login credentials, usually encrypted or hashed in some format – but since cookies are only sent back to the same site that originated them, even if cookies contained personal information, it is not going to be shared with every site you visit.

Myth: Cookies Are Viruses or Spyware and Create Spam and Popups

Cookies are nothing more than text files and could not be executed even if you track down the hidden folder they are usually located in, but a surprising amount of people believe that cookies contain viruses or spyware. The reason for this, other than misconceptions fuelled by clueless TV writers, is probably because most anti-spyware applications catch tracking cookies when you do a scan. Why? Cookies can be used by advertising websites to track the sites you visit (assuming the sites are using the same advertising network – see more below), so most anti-spyware applications help you remove them.

The other myth is that cookies are responsible for spam and create pop-up advertisements. While it’s true that an advertiser can use cookies to track which pop-up ads you’ve seen, the cookies have nothing to do with the advertisement in the first place.

Fact: Spyware and Viruses Can Read Your Cookies, but So What?

Another common misconception is that cookies are bad because if you have a virus or spyware infection, they can read your cookies to find out more information about you. This concept is not only overly paranoid, but completely illogical to boot – if your PC is already infected with a virus, you are pretty much totally screwed, since it has completely control over your computer, and your information at that point. You’re better off spending your energy learning about the best ways to keep your PC secure.

Fact: Cookies Are Required for Logging Into Most Sites

The vast majority of websites require cookies to be enabled in order to create an account and keep yourself logged in, so if you disable cookies in your browser, a large portion of the web is going to be broken. There are some exceptions, of course – you’ll probably notice that many shopping websites embed the session token into the URL, but it’s not something that most sites are going to implement. These cookies are considered first-party cookies, because they are set by the website you purposely visited.

Fact: Cookies are Used by Advertisers to Track Sites You Visit

Because cookies are always sent back to the site that originated them, an advertiser’s cookie will be sent back to them from every website you visit that is also using that same advertiser. This allows the advertiser to track the sites you visit, and send targeted advertising based on the types of sites that you visit.

This does not mean that advertisers can read the cookies from the website you are visiting – they can only read their own cookies, but because the advertising Javascript is embedded in the page, they will know the URL you are visiting. These cookies are considered third-party cookies, because they are not set by the actual page you are visiting, and they can generally be blocked without causing any serious problems.

If this type of tracking keeps you up at night, consider that an advertiser can already track the sites you visit based a combination of your IP address, browser version, location and any number of other factors — so getting rid of the tracking cookies only eliminates a small piece of the puzzle when it comes to tracking your behaviour online. There are also only a few advertisers big enough to really track you across the majority of websites — and one has to assume Google already knows everything else you’re doing online.

Fact: Deleting or Blocking Cookies Can Cause More Annoying Ads

If you’ve ever visited a website that sometimes, but not always, prevents you from reading the article until you click through an interstitial advertisement that takes over the entire page — you might wonder what logic dictates who sees the ads and when.

Here’s how it works: Interstitial ads pay websites very lucrative rates to allow them to take over the entire page, but since most website owners know that they are annoying, they are usually rate-limited so they aren’t seen too often by the same person. Once you’ve seen the ad a single time, the advertiser sets a cookie on your PC to make certain that you don’t see the same annoying ad again for a while. If you are deleting your cookies on a regular basis, you’re probably also seeing a lot more of these interstitial ads than everybody else. That is, of course, if you don’t have an ad blocker installed.

Fact: Disabling Cookies Doesn’t Matter If You Have Flash Enabled

As we’ve already pointed out in our guide to browsing without leaving a trace, even if you are blocking cookies in your browser, advertisers are using Flash cookies to keep track of what you’re browsing online. In fact, more than half of the most popular websites are using Flash tracking cookies.

Still Want to Block Cookies? Try Blocking Third Party Cookies Only

If you are still worried about cookies for privacy reasons, you can set up your browser to only accept first-party cookies, so you’ll still be able to login to all the websites that you visit. Chrome has its own instructions page here. For Firefox, just head into the Options panel, switch to the Privacy tab, and uncheck the Accept third-party cookies box. If that causes you any problems, you can keep the option checked, but change the “Keep until” setting to remove the cookies once you close Firefox. Other browsers have similar settings; just head into the options to find them.

Do you clear your cookies religiously, or do you just use a private browsing mode? Share your thoughts in the comments.