What Are Http Cookies
Using HTTP cookies – MDN Web Docs
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user’s web browser. The browser may store the cookie and send it back to the same server with later requests.
Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the stateless HTTP protocol.
Cookies are mainly used for three purposes:
Logins, shopping carts, game scores, or anything else the server should remember
User preferences, themes, and other settings
Recording and analyzing user behavior
Cookies were once used for general client-side storage. While this made sense when they were the only way to store data on the client, modern storage APIs are now recommended. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API (localStorage and sessionStorage) and IndexedDB.
Note: To see stored cookies (and other storage that a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage eating cookiesAfter receiving an HTTP request, a server can send one or more Set-Cookie headers with the response. The browser usually stores the cookie and sends it with requests made to the same server inside a Cookie HTTP header. You can specify an expiration date or time period after which the cookie shouldn’t be sent. You can also set additional restrictions to a specific domain and path to limit where the cookie is sent. For details about the header attributes mentioned below, refer to the Set-Cookie reference Set-Cookie and Cookie headersThe Set-Cookie HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:
This instructs the server sending headers to tell the client to store a pair of cookies:
HTTP/2. 0 200 OK
Then, with every subsequent request to the server, the browser sends all previously stored cookies back to the server using the Cookie header.
GET / HTTP/2. 0
Host: Cookie: yummy_cookie=choco; tasty_cookie=strawberry
Define the lifetime of a cookieThe lifetime of a cookie can be defined in two ways:
Session cookies are deleted when the current session ends. The browser defines when the “current session” ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.
Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
Note: When you set an Expires date and time, they’re relative to the client the cookie is being set on, not the server.
If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever a user authenticates. This approach helps prevent session fixation attacks, where a third party can reuse a user’s strict access to cookiesYou can ensure that cookies are sent securely and aren’t accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute.
Here’s an example:
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
Define where cookies are sentThe Domain and Path attributes define the scope of a cookie: what URLs the cookies should be sent to.
The Domain attribute specifies which hosts can receive a cookie. If unspecified, the attribute defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
For example, if you set, cookies are available on subdomains like
The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header. The%x2F (“/”) character is considered a directory separator, and subdirectories match as well.
For example, if you set Path=/docs, these request paths match:
But these request paths don’t:
The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests (where Site is defined by the registrable domain). This provides some protection against cross-site request forgery attacks (CSRF). It takes three possible values: Strict, Lax, and None.
With Strict, the cookie is only sent to the site where it originated. Lax is similar, except that cookies are sent when the user navigates to the cookie’s origin site. For example, by following a link from an external site. None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i. e., if SameSite=None then the Secure attribute must also be set). If no SameSite attribute is set, the cookie is treated as Lax.
Set-Cookie: mykey=myvalue; SameSite=Strict
Note: The standard related to SameSite recently changed (MDN documents the new behavior above). See the cookies Browser compatibility table for information about how the attribute is handled in specific browser versions:
SameSite=Lax is the new default if SameSite isn’t specified. Previously, cookies were sent for all requests by default.
Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context).
Because of the design of the cookie mechanism, a server can’t confirm that a cookie was set from a secure origin or even tell where a cookie was originally set.
A vulnerable application on a subdomain can set a cookie with the Domain attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a session fixation attack. See session fixation for primary mitigation methods.
As a defense-in-depth measure, however, you can use cookie prefixes to assert specific facts about the cookie. Two prefixes are available:
If a cookie name has this prefix, it’s accepted in a Set-Cookie header only if it’s also marked with the Secure attribute, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /. This way, these cookies can be seen as “domain-locked”.
If a cookie name has this prefix, it’s accepted in a Set-Cookie header only if it’s marked with the Secure attribute and was sent from a secure origin. This is weaker than the __Host- prefix.
The browser will reject cookies with these prefixes that don’t comply with their restrictions. Note that this ensures that subdomain-created cookies with prefixes are either confined to the subdomain or ignored completely. As the application server only checks for a specific cookie name when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against session fixation.
Note: On the application server, the web application must check for the full cookie name including the prefix. User agents do not strip the prefix from the cookie before sending it in a request’s Cookie header.
For more information about cookie prefixes and the current state of browser support, see the Prefixes section of the Set-Cookie reference article.
// logs “yummy_cookie=choco; tasty_cookie=strawberry”
Ways to mitigate attacks involving cookies:
Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax. (See SameSite attribute, above. ) In browsers that support SameSite, this ensures that the authentication cookie isn’t sent with cross-site requests. This would make the request effectively unauthenticated to the application server.
Tracking and privacyThird-party cookiesA cookie is associated with a domain. If this domain is the same as the domain of the page you’re on, the cookie is called a first-party cookie. If the domain is different, it’s a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners) that may set third-party cookies. These are mainly used for advertising and tracking across the web. For example, the types of cookies used by Google.
A third-party server can create a profile of a user’s browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. Firefox, by default, blocks third-party cookies that are known to contain trackers. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions. Cookie blocking can cause some third-party components (such as social media widgets) not to function as intended.
The General Data Privacy Regulation (GDPR) in the European Union
The ePrivacy Directive in the EU
The California Consumer Privacy Act
These regulations have global reach. They apply to any site on the World Wide Web that users from these jurisdictions access (the EU and California, with the caveat that California’s law applies only to entities with gross revenue over 25 million USD, among
These regulations include requirements such as:
Allowing users to opt out of receiving some or all cookies.
Allowing users to use the bulk of your service without receiving cookies.
There are some techniques designed to recreate cookies after they’re deleted. These are known as “zombie” cookies. These techniques violate the principles of user privacy and user control, may violate data privacy regulations, and could expose a website using them to legal also
Inspecting cookies using the Storage Inspector
Cookie specification: RFC 6265
HTTP cookie on Wikipedia
Cookies, the GDPR, and the ePrivacy Directive
What is a Cookie? How it works and ways to stay safe
What Are Cookies? The Good And The Bad Of Browser Cookies
It’s all quite alarming.
Here’s what you need to know: While cookies can compromise your presumption of digital privacy in unnerving ways, they can’t infect your system with viruses or other kinds of malware.
What are cookies for, anyway?
Cookies – you can refer to them as browser cookies, HTTP cookies, web cookies, computer cookies, or even their original name, “magic cookies” – were invented to address a fundamental weakness in the computer language that browsers and websites use to communicate with each other.
The language is HTTP, the hypertext transfer protocol. The weakness is statelessness.
Statelessness is essential to the way the web works. When you request a web page, the communication lasts just a fraction of a second. Your browser transmits the request to the web server’s address and the web server transmits the page to your address. Then you are disconnected. With internet cookies or without them, the wired and wireless digital paths that supported the data transfer are now free for other users and websites. It’s just how the system works.
Statelessness is great for supporting millions of users on data transmission lines and for websites that are serving up pages to hundreds or thousands of people at once.
A stateless system works like a vending machine. The machine doesn’t know who you are, how long you’ve been standing there, or whether you’ve bought something before. It simply accepts your money and gives you a product in return. That’s the internet without browser cookies.
There’s a problem with statelessness. Suppose you log on to a website. The home page directs you to another page on the site. You click, and…hey, wait a minute. How does the new page know who you are? How does it know you’re logged on? In a stateless system, the new page should require you to log in again.
You have experienced the power of cookies.
In 1994, a software engineer at Netscape proposed a way of solving the second log-on problem and adding state to the internet. A programmer of solid nerd credentials, Lou Montulli referred to the little data packets in his proposal as “magic cookies, ” and they’ve been known as cookies ever since.
In 1997, Montulli’s web cookies were adopted by the Internet Engineering Task Force, an international open standards body that operates under the authority of the Internet Society. The current version of the standard is embodied in IETF 6265, the specification for a cookie-based “HTTP state-management mechanism. ”
Cookies let Netscape’s early websites know if a user had visited the site before. That information lets the site present different information to new users and repeat visitors.
Montulli was already thinking about shopping sites. Without cookies, there would be no way to transfer the list of products you want to the check-out page. Montulli proposed that the list be stored in text files on your PC – cookies – until you made a purchase and the list could be deleted.
Without cookie data, every visit to Amazon would require you to keep pen and paper handy so you could write down the website’s code numbers for the books you want. Then you’d have to type the code numbers into the check-out page. Make one typo and you’ll get a cookbook instead of the biography you wanted.
Cookie information makes shopping websites substantially easier to use. But digital cookies aren’t programs. They’re just little bits of text, usually encrypted, that browsers store on your PC or mobile device. They don’t contain your user name or your email address or your passwords. They’re just codes that mean “this user is logged in” or “The Autobiography of Malcolm X. ”
Montulli’s eCommerce use case convinced the world that web cookies were a good idea. They’ve been widely used ever since.
If you visit your local newspaper’s website, the front page may dim headlines to gray for articles after you read them. The next time you visit the site, you’ll see at a glance which articles you’ve read and which await you. How’d they do that? Cookies.
You visit a video streaming site and it’s using the night interface theme you like – white text against a black background instead of old-fashioned black on white. How do they know to use that theme when you come back to the site days later? Internet cookies.
The first time you visit a news media website, a pop-up on your internet browser asks whether you would like to receive headlines in your email once a day. You answer yes or no, and the next time you visit the site, there’s no pop-up. How’d they do that? Cookies.
Those are the kinds of everyday tasks Montulli’s magic cookies do. It’s no wonder they are common on websites large and small. They have become an essential part of the web.
Web cookies don’t spread viruses or malware. They can’t read documents or other information from your hard drive. They don’t know and don’t contain your passwords, your email address, or any other personal information. And they can’t control your computer in any way: They can’t send emails or post on social media or erase data.
Flavors of cookies
The first cookies were session cookies that established whether you were logged in. Browsers store these simple cookies on the user’s PC, and they’re invisibly added to every request you send to the website. Session cookies let you navigate from page to page at a website without logging in every time you load a new page. These browser cookies are erased when you log out or automatically after a specific time period.
Session cookies were soon joined by persistent cookies. These cookies are useful for setting user preferences. For example, you may prefer that your video streaming site use a particular color scheme – white text on a black background, say, instead of the default black on white. When you set this preference, the site instructs your browser to store your preference in a cookie on your PC or mobile device. The site loads the cookie the next time you visit and applies the color scheme – even before you log on.
Every browser stores web cookies in a different way. Netscape Navigator stored cookies in a simple text file called “” Most modern browsers store cookies in SQLite databases, with certain data encrypted by default. Since every cookie is stored on a local device using a particular browser, it is not possible to synchronize settings – like the color theme of your video streaming site – across multiple PCs or browsers automatically using cookies. If your site syncs up such settings across multiple devices or browsers, then it is not using cookie data to store those settings.
This limitation is leading web developers and computer scientists to think about alternatives to cookies.
Consider the example of a news page that turns headlines gray for each story you’ve read. That’s great on your laptop at home. But if you access the site later from your smartphone or from a PC at your office, none of the headlines will be gray. The influence of cookies is limited to a single browser on a single device. You can’t store the same cookie data on multiple devices. Cookies can’t be read by multiple browsers. If you want to maintain state across multiple browsers or devices, then you’ve got to store state data on the server, not on the user’s PC.
You could think of this data as server-side cookies, but computer scientists call them “sessions” – a term that seems designed to be confusing. Sessions are growing in popularity because more and more people regularly use multiple devices to access the web. Sessions can’t entirely replace cookies, but they’re a great solution in many cases.
What about those creepy cookies?
There’s one more kind of cookies on your computer that you ought to know about. These are the cookies that upset privacy advocates. They’re known as third-party cookies or marketing cookies or tracking cookies.
The idea is simple enough. If you’re an advertiser and you’ve paid to display your ad at a particular website on a per-view basis, you and the site both want to know how many times you ad has been viewed.
With third-party cookies, the advertisement includes code that places a cookie on your computer. The cookie identifies the advertiser, the website, and you. Your identity is an encrypted code that the advertiser can’t read. But it does identify you uniquely.
When you see the same ad at a different site, the browser cookie is updated to indicate that you have seen the ad once more. And the site is added to the list of sites where you have seen the ad.
Now the advertiser knows which websites you visit. The advertiser doesn’t know who you are. Personally identifiable data is encrypted, but the list of sites is associated with the encrypted value that represents you.
If you have browsed for a particular product at an online store and then ads for similar products have followed you around the internet, you have experienced the power of tracking cookies.
Cookies do not contain personally identifiable information. But a data breach could conceivably associate your encrypted user identifier with your online user name or even your real name. Your browsing history could conceivably become a matter of public record.
The session cookies and persistent cookies set by the websites you visit do not track you around the web. These first-party cookies are harmless, and in fact they are essential for getting the most out of the internet. It is the third-party cookies – the marketers’ tracking cookies – that represent a privacy risk. You can eliminate the risk by using an ad blocker, by instructing your browser to reject third-party internet cookies, or by requiring the websites you visit to use first-party cookies only. Clearing cookies or cookies and cache periodically can keep you safe and make your PC run a little faster too.
The decline of third-party cookies
Because consumers resent being tracked around the internet, third-party cookies are disabled in Apple’s Safari browser and Mozilla Firefox by default.
In January 2020, Google announced that it would end Chrome’s support for third-party cookies entirely by 2022.
Many marketers see Google’s rejection of third-party cookies as the end of a lucrative era in online marketing. “There is no arguing that marketing cookies have been extraordinarily valuable to the entire consumer economy, ” says Randall Rothenberg, CEO of the Interactive Advertising Bureau. “Studies show that the ad targeting they have powered has been worth more than $25 billion to the consumer economy by creating more efficiencies and allowing advertising to more effectively reach interested consumers. Say what you want about ‘those creepy ads that follow you around the internet, ’ but consumers undeniably buy based on those ads, and they have helped brands, publishers, and intermediaries grow. ”
Google’s decision is in line with increasing government regulation of third-party tracking cookies.
One reason you’re seeing cookie permission dialogs spring up online is that the European Union’s General Data Protection Regulation dictates that website owners throughout Europe must inform users about their privacy rights and acquire consent before installing cookies. GDPR compliance is an important issue not only for European website owners, but for anyone whose sites are accessed by EU citizens.
The European Union does not have the authority to write laws for EU member states. Rather, it creates regulations. Each European country writes and passes its own GDPR-compliant cookie law. Most European countries have not yet implemented the directive.
Websites that operate solely in the United States or countries not covered by the GDPR have a kind of rogue status when it comes to cookie consent law. Some sites provide a statement banner in which they disclose the types of cookies they use, but more often than not they don’t include third-party cookies in the warning. There is no regulation that legally binds them to do so. In the United States, there is no all-encompassing federal cookie law, but there are some states that have enacted their own data protection laws.
The California Consumer Privacy Act of 2018 came into effect in 2019, and it changed things for users and website owners in California. If a particular business is subject to the CCPA, residents of California must have the option to refuse or allow browser cookies.
Google’s decision to eliminate third-party cookie support in the industry’s leading browser adds further fuel to the anti-tracking fire.
Security threats and cookie fraud
To hackers, cookies represent a window they can climb through to gain access to user accounts, especially at carelessly coded websites. In 2017, hackers took advantage of careless coding at Yahoo to gain access to 32 million user accounts by forging cookies that established logged-in sessions without requiring users to log in.
Most cookie-based attacks require the hacker to have control of the server or physical access to the PC on which the user’s cookies are stored. In those cases, a cookie vulnerability is the least of your worries.
Still, browser cookies are sent to and from your browser over the internet, which means they – like any data – could be intercepted and misused by inventive hackers. The security threat is small but measurable. And the digital data collection practices of advertising cookies represent a substantial privacy threat.
Cookies are not dangerous themselves, but they do create opportunities for hackers to take partial control of online sessions, often masquerading as legitimate users. Experts say users should be aware of four main kinds of cookie fraud: cross-site scripting, session fixation, cross-site request forgery, and cookie tossing.
With cross-site scripting, the user receives a cookie after visiting a malicious website. The cookie includes a script payload that targets a third website. The browser cookie is disguised as if it were from the target website. Hackers use cross-site scripting to get past access controls and access sites as if they were verified users.
Session fixation attacks involve hijacking session IDs from ordinary interactions. Hackers use stolen session IDs to perform malicious actions at the target domain, making it appear that the original site user is the guilty party. It’s one reason you don’t want to allow third-party cookies in your browser.
Cross-site request forgery attacks work much the same way. The user visits a target site, then a malicious site, which runs an attack on the original site as if the user were conducting the attack.
With cookie tossing, users receive disguised cookies that look like they originated from a subdomain of the targeted website. As soon as the user visits the targeted website, the subdomain cookie is sent along. But the legitimate cookie data is sent as well. If the targeted website interprets a subdomain cookie first, it will overrule the data in any subsequent legitimate cookies.
None of these are common cookie problems. Cookie fraud is rare. These cookies aren’t viruses and they don’t carry malware. They cannot be executed. But cookie fraud is a worldwide concern, mainly because it could be used to falsify the identity of legitimate users or to co-opt a legitimate user’s identity to perform malicious actions. The most important steps you can take to protect yourself include:
Keep your browser settings and plug-ins updated.
Block third-party cookies.
Choose whether to allow or block cookies on a site-by-site basis.
Install third-party extensions that promise cookies are deleted after you leave the site.
Use your browser’s “incognito” mode.
Install anti-spyware apps and keep them updated.
On February 5, 2020, engineers from Google and Apple submitted version 5 of the technical spec for internet cookies to the IETF. The proposed specification includes new requirements that are intended to block the security holes that allow hackers to commit cookie fraud. The IETF has until August to adopt the draft or to send it back to the authors (or other parties) for further revisions.
What is a cookie and how is it used?
Most websites employ cookies. They do so to tailor their web pages and achieve a more efficient, personalized user experience.
Are cookies bad?
Cookies are not harmful; they don’t carry viruses or malware, and they don’t store personal information about you. But some websites may not be secure, which can allow hackers to intercept cookies and abuse the information they carry.
How to remove cookies on computer?
Cookies are harmless pieces of data that are provided to enhance your experience using websites. Most websites allow you to specify whether you want to accept or decline cookies. You can also instruct your browsers regarding your preferences: accept all cookies, deny all cookies, reject third-party cookies, and so on. Here are instructions for managing cookie use for different browsers:
Should I accept cookies from websites?
In general, yes, especially when you visit commonly used sites where it is safe to allow browser cookies. However, you should avoid accepting cookies on questionable pages. Yes, you can delete cookies, but you probably don’t want to block all cookies – that would compromise the quality of your web experience. Be cautious and avoid sites your browser flags as questionable.
Almost all websites employ cookies. The harmless information they store on your system helps you get the most out of your online experience.
Frequently Asked Questions about what are http cookies
What are HTTP cookies used for?
What are HTTP Cookies? HTTP cookies, or internet cookies, are built specifically for Internet web browsers to track, personalize, and save information about each user’s session. A “session” just refers to the time you spend on a site. Cookies are created to identify you when you visit a new website.
What is an HTTP cookie Is it bad?
Are cookies bad? Cookies are not harmful; they don’t carry viruses or malware, and they don’t store personal information about you. But some websites may not be secure, which can allow hackers to intercept cookies and abuse the information they carry.Feb 26, 2020
What are the 3 types of HTTP cookies?
There are three types of computer cookies: session, persistent, and third-party.Aug 16, 2018