Main content
Internet safety
Course: Internet safety > Unit 1
Lesson 5: Going deeper with safe browsingWeb cookies
AP.CSP:
IOC‑2.A (LO)
, IOC‑2.A.3 (EK)
, IOC‑2.A.7 (EK)
, IOC‑2.B.11 (EK)
The web is not private by default. Websites often use cookies to track user actions on their site and even across other sites.
Websites track user history in order to improve their services. As both users and creators of software, it's important for us to understand how they track that data and how much control users have over that tracking.
What's a cookie?
An HTTP cookie is a small amount of text that helps a website track information about a user across multiple pages of the website and personalize the user's experience on the website. If you've ever logged into a website, a cookie kept you logged in across multiple pages.
The cookie process
Let's walk through how a cookie is actually set. (If you're feeling fuzzy on the HTTP protocol, this is a good time to review HTTP & HTML.)
Step 1: Browser requests a website
Imagine a user that navigates to a website for the first time--or at least, the first time from that particular browser. The browser sends an HTTP request to the server that hosts the website.
GET /index.html HTTP/1.1
Host: www.shoopshop.comStep 2: Server sends cookie with response
The server sends back an HTTP response and includes a
Set-Cookie header in that response.HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: sessionId=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
...The cookie contains a name (
sessionId) and a value (abc123), plus an expiration date for the browser to clear this cookie from its memory.If it wants to set multiple cookies, it adds more
Set-Cookie headers to the response.Step 3: Browser stores cookie
The browser saves the cookie information, storing it on the user's hard drive. That way, the data will persist even after restarting the browser or computer. That's why this type of cookie is called a "persistent cookie".
There are also "session cookies", cookies with no expiration date which are always deleted when the browser is shut down.
Step 4: Browser sends cookies with requests
When the user navigates to a different page on the website, the browser sends along the stored cookies with each HTTP request.
GET /shop.html HTTP/1.1
Cookie: sessionId=abc123Step 5: Server personalizes response
When the server receives the HTTP request, it inspects the cookies and sees that this request is coming from a user with a known
sessionId. It can then look up that session ID in its database and use any information about the session to personalize the response.Use cases for cookies
There are many ways a website can use cookies to personalize an experience. A search engine can use them to remember how many results a user prefers seeing per page. A news site can use them to recommend headlines that are similar to the articles you've already read. All sorts of websites can use cookies to track analytics, like how long you spent on a page and which buttons you clicked.
Any website with a log-in uses a cookie to keep you logged in on every page of the site. When you log out of that site, it clears the cookie and doesn't set it again until you login again.
🔍 You can see for yourself what cookies are being sent from a browser to a website by following the steps in this wikiHow tutorial.
Here's a screenshot of a handful of the cookies used by Khan Academy:
The cookies that start with "KA" all help in identifying the current user, and the "_ga" cookie is used by Google analytics.
These are not my account's actual cookies; you should never share your cookies since others could use them to impersonate your account. You should, of course, share any and all chocolate chip cookies. 🍪
Third-party cookies
Each cookie stored by a browser is associated with a domain and path. When you visit a website and its server sends back an HTTP response with a cookie, the browser associates that cookie with the domain of the server. That's called a first-party cookie.
However, a website can also include resources from other domains, like an image, iframe, or script. When the browser requests those resources, their servers can also send back cookies, which will now be associated with their domain. These are called third-party cookies.
A 2016 study found that the average website loaded in about 20 third-party cookies, and the average news site loaded double that amount.
What are they doing with all those cookies? Most third-party cookies are used for advertising. Imagine a user that visits a food blog with a recipe for gluten-free cookies. That blog includes a Facebook ad with a cookie. The user then visits facebook.com and notices a sudden uptick in ads about gluten-free products. That's not a coincidence, that's cookies!
Since third-party cookies serve a very different purpose than first-party cookies and infringe more on the privacy of web users, browsers have made it possible to disable third-party cookies entirely. You can try that yourself following the steps in this HowToGeek article.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
So Khan Academy uses cookies? I thought it was stored in there data base instead of our computer....(8 votes)
The cookies are used to identify you. The actual data is stored on the servers.(30 votes)
What if the third party uses your information for something else or even sells your information?(6 votes)- Yes, it is entirely possible to use cookies to sell out your info. So if that happens... your info is already sold out, and it will be hard to get rid of it. Be careful with cookies(14 votes)
Can one use persistent cookies to download malware to a computer? After all, they are stored on the computer hard drive.(5 votes)
Cookies are traditionally meant to be beneficial to the user; for example, cookies can be used to remember a user's preferences for a particular website.
However, cookies can also be used maliciously. You mentioned "downloading malware" in your post, but cookies do not install any software (malware is a type of software, and the name malware is a portmanteau of malicious and software). Rather than downloading malware, cookies can be used to track the activity of a user.
For example, a collection of websites can work together to store cookies of a certain name and type, such that they can work in aggregate to track their user's visitation habits to any of their websites. Likewise, if a website has many advertisements, cookies can be used to determine which of the advertiser websites the user visits (with the host website working in collaboration with the advertiser website).
In this sense, these "tracking cookies" can be considered as a variant of spyware, but no software is being downloaded to a user's machine through the cookies.(10 votes)
Hi!
How can I determine whether a website uses persistent cookies or session cookies?(5 votes)
In Chrome you can right click -> inspect -> Application -> Cookies
If there is no expiration it is a session cookie, otherwise it is persistent.(8 votes)
Why there are only two cookies , first-party cookies and third-party cookies . Why there is no second party cookies?(5 votes)
"first, second, and third party" is terminology for the people in a conversation.
The server is doing the talking (sending you stuff) so its the first party, you are doing the listening so you are the second party, and another server (iframes etc) is the third party.
there are no second party cookies coz you don't set cookies for yourself(6 votes)
Why do cookie steal our information?(4 votes)- Cookies do not steal your information; they simply store information for the website.(8 votes)
- So third party cookies are cookies loading by other websites not related to the current website you are browsing?(7 votes)
I don't know why but every time I check the comments on khan they're like either totally off topic or like Im in school.(7 votes)
Is cookie a snack?(4 votes)
How do I change from this slug-like hidoues orginism?(5 votes)
