You’ll have heard the word cookie being banded about. You spend a seemingly endless time clicking your way past cookie banners and warnings every time you load a (legally compliant) web page. Technical support will occasionally ask you to clear your cookies …
… but what the bloody hell are cookies?
What are Cookies?
Cookies are small text files sent from a website to your computer and stored there. This can happen as you load a page or, via on-page scripting, when you interact with the site. By default, this happens in the background, you are not alerted to the cookie being set.
Cookies are not tiny, 4096 standard latin text characters, so once could contain a very short essay.
Why Are Cookies Needed?
Tim Berners Lee and his pals devised the Internet to broadcast information, not enable interaction. On its own, an HTML page is ‘stateless’. Like the pages of a newspaper, a vanilla web page knows no more about the pages visited before or the previous activity of the viewer.
It’s still amazing compared with what went before, but it was very limited.
Once set, the cookie lasts longer than a single page load, and because the cookie can be read by the website, the cookie enables a web page to ‘recognise’ the web browser and change it accordingly.
“Hi Simon!” … the Internet comes alive. Once you have cookies, you can log in, add products to baskets, list favourites, and so much more …
Use Cases for Cookies
- E-commerce: Cookies remember items in a shopping cart, user login sessions, and personalise the shopping experience based on past behaviour.
- Personalisation: Websites use cookies to remember user preferences, such as language settings, themes, and layout preferences, enhancing the overall user experience.
- Analytics: Websites employ cookies to track user interactions, providing insights into user behaviour, website performance, and to optimise the user experience.
- Advertising: Third-party cookies track user behaviour across multiple sites to serve targeted advertisements based on browsing history and preferences.
Who Invented Web Cookies?
The concept of web cookies was first developed in 1994 by Lou Montulli, a programmer at Netscape Communications. Montulli’s invention enabled websites to track user sessions without overloading servers, computers or the internet itself. It is worth noting that all of these were smaller and far less robust devices than they are now.
The Pitfalls of a Cookie – Part 1
Once invented, the uptake in the use of cookies was rapid. As is often the case with rapid adoption, poor implementations were mixed with good and all sorts of confidential information was stored in them. This was a period when the internet was extremely leaky: SSLs had barely been heard of, anti-virus protection was patchily applied and Windows was wildly insecure. To a knowledgeable hacker, stealing data and logging in was a relatively easy prospect.
As these concerns grew, practices did improve. Server-side technologies improved and it became much more straightforward to retrieve sessional information based on a unique, quasi-random string (if it must be unique, it cannot be random). This way, the website can set a single cookie containing an anonymous string (also known as a token). This session cookie can then record all the data required to run an interactive with a user session.
What’s So Clever About a Session Cookie?
Firstly, as stated above, a session cookie contains nothing that means anything to anyone else. The cookie cannot be used to retrieve data from any device other than the one that issued the cookie. No confidential or identifiable data is stored anywhere other than the web server itself.
Because it is only meaningful to the issuing server, a session cookie cannot be used as a tracking cookie.
Session cookies are just that. As their name implies, a Session cookie expires once a given device stops interacting with the server.
Computers are much better now, Windows and MacOs are very secure. Use of secure networks is becoming almost universal. It is much harder to steal the contents of a cookie now and, even if you could, the temporary nature of session cookies makes them far less useful.
The Pitfalls of a Cookie – Part 2
As the sophistication of servers and client-side scripting has grown (exponentially), the information a cookie can track has become almost limited. Rather than a short essay, there is no realistic limit to the data a server can store.
Privacy concerns are at the forefront of the debate surrounding cookies. Since they can track users’ browsing habits, cookies can be used to compile long-term records of individuals’ browsing histories, raising significant privacy issues.
In recent years, GDPR and similar legislation has meant that this tracking demanded that website owners must seek consent before hacking a user’s behaviour. However, the debates about internet privacy and the ethics of data collection have not gone away.
Security is another concern. Cookies can be exploited for malicious purposes; session hijacking can still happen and third-party cookies can still be used for cross-site scripting attacks. These vulnerabilities can compromise user security, making it crucial for both users and developers to manage cookies carefully.
First-Party vs. Third-Party Cookies: A Distinct Difference
Understanding the distinction between first and third-party cookies is key to navigating the complexities of online privacy and security. First-party cookies are created and placed by the website you are visiting directly. These cookies are generally considered safer and are often used to enhance user experience by remembering login details, language preferences, and other personalisation settings.
In contrast, third-party cookies are created by domains other than the one you are visiting directly, often through third-party advertisements or widgets embedded in the website. These cookies are primarily used for cross-site tracking, retargeting and ad-serving purposes.
Third-party cookies are the focal point of privacy concerns.
Conclusion
Cookies, from their inception to their current use, play a critical role in the functionality of the web.
They enhance user experience by making web browsing more efficient and personalised. However, the use of cookies, especially third-party ones, has raised significant privacy and security concerns.
The distinction between first and third-party cookies is crucial in understanding the broader implications of cookie use on privacy and internet security. As the digital landscape evolves, so too does the conversation around cookies, privacy, and the ethical use of personal data.