What is a Cookie?
No, it’s not chocolate chip or oatmeal raisin – a cookie is a piece of information sent from a website server to the browser and is stored in the browser itself. Cookies are used to maintain some sort of state on the browser. For example, it could contain items in a user’s cart on a shopping website, a user’s login information, or user preferences. Typically, cookies are used to enhance user experience – such as saving a user’s viewing preferences between site visits – or track user data in some way.
A cookie consists of three parts:
- Name – the name of the cookie identifies it as a unique piece of data. This is given to the cookie by the server it came from. For example, if the cookie is storing the items in a shopping cart, the name of the cookie may be “cart_items” or “__cart”
- Value – the value of the cookie is the data itself. To continue with our example, the value of our shopping cart cookie would be a serialized list of the items in the cart.
- Attributes – cookie attributes are a number of predefined characteristics of the cookie, that inform how the browser is to handle the cookie data. For example, a common field used is the “timeout” field. This tells the browser how long it will keep the cookie before the data expires and it is no longer considered valid. Another attribute is the domain, or what website the cookie originated from.
Different Kinds of Cookies
While the ingredients of cookies are the same, there are different ways to designate cookies based on intent and behavior.
The first distinction we make is between session and persistent cookies. Session cookies are cookies that only exist for the duration of a user’s session, or a separate visit to a given website. Persistent cookies are cookies that last between sessions. For example, if a user customizes their profile to redirect to a specific page on a website when they login, they will want that information to persist between visits. One way of storing that data would be with a persistent cookie. (The benefit of using a persistent cookie in this case would be to offload the data from the server so it is readily available in the browser rather than making numerous subsequent server calls to retrieve that data).
Another distinction we can make is between first-party and third-party cookies. First-party cookies are cookies that are generated from the site you are on. These are only accessible on the site that created it. This means that the cookies from the fictitious abc123.com are not shared with the also fictitious xyz456.com. In contrast, third-party cookies are cookies that come from a third-party service that the site you are visiting pulls in to utilize. This essentially allows user data from a different site to be shared with the site you are on.
For a site to gain access to another site’s cookies, that site has to specifically request a cookie from another service and save it in the browser. At this point, it is important to note that if a website does this, there is a moral obligation (and in some cases, legal obligation) to have the user accept the use of third-party cookies on the website since you are sharing data about the user, even if it may be de-identified. This means you must have the user actively consent – e.g. they must click a button or take some action – to using cookies. You may also want to provide a way for users to opt out of using the third-party cookies your site uses, in the interest of protecting their data.
Pitfalls when Using Cookies
While cookies can be a powerful tool for improving the user experience, there are some dangers when using them. Most of these are focused around protecting user credentials and identity.
The first big tip is to never store sensitive data in cookies, such as user credentials or credit card data. This data can be exposed in packet-sniffing attacks, where a malicious actor spies on the network, intercepts packets sent between the server and browser, and extracts unencrypted data. A protection against this is to always use TLS encryption when sending data to prevent packet sniffing (setting an attribute on the cookie will require that the cookie is only sent with TLS encryption). A common pitfall here is that an HTTPS connection is used on the login page, but other pages are only protected with an HTTP connection.
A final consideration when using cookies is how your user will respond. An increasing number of users are becoming more focused on privacy of their personal data, including how they browse the web. If your user base is among these, running targeted ads or using third-party cookies to gather their preferences and share that information with other sites may drive customers away from your site.
Cookies are a good way to reduce load on the server, enhance user experience, provide opportunities to monetize a website, and gather data on usage patterns. However, it is important to be conscious of the data you are gathering, consider your user base, and if you decide to use third-party cookies, ensure you are communicating to the user what data you are capturing and sharing.
What other concerns or tips do you have for using cookies on websites? Contact us or join in the conversation below!
- Website Authentication – Part 3: OAuth 2.0 Authorization Code Flow - April 16, 2020
- Website Authentication – Part 2: Intro to OAuth 2.0 - March 5, 2020
- If You Give a Dev a Cookie… - February 6, 2020