How Browser Cookies Work: The Good, the Bad, and the Tasty

In 1994, a clever innovation emerged in the form of cookies, which are small pieces of data that are generated as Internet users browse various websites. These little data bits are fundamental to the functioning of the Internet, but their usage has sparked debate in recent times. Despite the intrusive cookie pop-up notifications that Internet users encounter when visiting websites today, it’s important to note that not all cookies are harmful.

Some play a crucial role in verifying logins and customizing online interactions. For example, session or first party cookies are essential for keeping track of items added to online shopping carts and maintaining users’ logged-in status on websites.

On the other hand, third-party cookies operate in a more ambiguous space. They gather and monitor users’ online activities across multiple websites to deliver targeted advertisements. The differentiation between first- and third-party cookies has become increasingly significant as demands for greater digital independence and transparency have grown louder.

When you visit a website, your browser requests data from the server. Along with the data, the server sends a small text file to your browser’s memory. This file, known as a cookie, allows the server to recognize you as the same user when you navigate to other pages on the website. Cookies were created in 1994 by Lou Montulli, a 24-year-old software engineer at Netscape.

Fortune cookies contain hidden messages within them, which can be read once opened. Similarly, when a website saves a fortune cookie on your browser, it stores information about you as a user to customize the website experience for you.

To put it simply, it’s like receiving a token at a coat check that helps the staff identify and serve you better when you return. However, unlike tokens that are just identifiers, web cookies directly store your information. This analogy is drawn from the concept of Magic Cookies, which are distinct from web cookies and function more like tokens.

Session cookies are only active while you are logged in and your browser is open, typically being deleted when you close the browser. On the other hand, persistent cookies remain even after you close the browser or log out, sticking around for a set period of time or until a specific date, as seen when selecting keep me logged in.

Zombie cookies have the ability to resurrect themselves after being deleted because they can be stored in locations beyond your browser. There are legitimate and underhanded reasons for utilizing this type of cookie. Lastly, third-party cookies, as illustrated by The Guardian’s animation, are associated with advertisers despite their strong bias.

When you visit a website, third-party cookies can be created through links to other websites, such as advertisements. These cookies originate from a different domain than the website you are currently on. By linking these cookies to external sites, your online activity can be tracked across various websites, allowing for targeted advertising and potentially making your personal information more readily available than you may think.

According to European data regulations, non-essential cookies can only be activated with explicit consent from users regarding their personal data collection. Similarly, under Singapore’s Personal Data Protection Act, websites must obtain consent before collecting personal data from Internet users.

What are the potential risks associated with different types of cookies, and how can users effectively mitigate these risks?

Highlight and Select

First-party cookies, such as session cookies, are crucial for website functionality. They are necessary for maintaining the contents of shopping carts during the check-out process, as well as for enabling seamless authentication and user navigation within web services.

Session cookies typically have a short lifespan and disappear when a web page is closed. On the other hand, third-party cookies, which often track users’ browsing activities, are not essential for website operations. While first-party cookies play a fundamental role in web authentication and user experience, third-party cookies primarily serve tracking purposes.

The website utilizes the personal data it gathers to tailor advertisements based on user behavior or to sell the information to other advertisers. For example, if a user searches for Thai food online, they may later see ads for hotels in Bangkok.

While Europe has implemented stricter regulations like the General Data Protection Regulation and ePrivacy Directive to limit the use of third-party cookies, other regions have not been as thorough in adopting similar measures.

Blocking cookies

Blocking cookies is important because they are often targeted by hackers due to the valuable personal data they contain, particularly in session cookies used for authentication. Hackers can use stolen login details from these cookies to gain unauthorized access to accounts.

In the past, there have been instances of cookies being extracted from public Wi-Fi hotspots and phishing emails being used to steal users’ cookies, leading to account takeovers. For example, a well-known gaming YouTuber’s channel was hijacked after he clicked on a malicious link in an email, allowing the hacker to access his Google and YouTube accounts.

Cookie hacking poses a significant threat, prompting Google to introduce a range of measures to bolster authentication cookies. These measures encompass enhanced malware detection, authentication protocols, and proactive notifications to YouTubers prior to potential sensitive actions. In the period from May to October last year, Google had to reinstate approximately 4,000 compromised accounts.

While website operators ultimately bear responsibility for cookie security, users can still exert some influence over their own protection. By steering clear of suspicious or outdated websites with minimal traffic and refraining from clicking on dubious links, users can mitigate risks. Additionally,

they have the option of using browsers like Mozilla Firefox, Apple Safari, and Brave that automatically block third-party cookies.

In response to input from web developers, advertisers, and regulatory bodies like Britain’s Competition and Markets Authority, Google Chrome, the widely used browser, will begin blocking third-party cookies in 2023.

In the interim, Chrome users have the option to install ad-blocking extensions to limit third-party cookies. Another approach is to carefully review cookie pop-up terms and conditions and only accept cookies categorized as necessary or essential.

Security tokens

Utilizing security tokens for authentication offers a viable alternative to traditional session cookies. This method is user-friendly and enables seamless authentication across various devices, such as mobile, computer, and smart devices, without the need for separate logins.

Additionally, it prioritizes user privacy by storing authentication tokens solely on the user’s devices, rather than on website servers. However, it’s important to note that while authentication tokens provide many benefits, they are not foolproof and can still be vulnerable to hacking and theft. Therefore, users should remain cautious of potentially risky links and websites.