If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Web cookies

The web is not private by default. Websites often use cookies to track user actions on their site and even across other sites.
Websites track user history in order to improve their services. As both users and creators of software, it's important for us to understand how they track that data and how much control users have over that tracking.

What's a cookie?

An HTTP cookie is a small amount of text that helps a website track information about a user across multiple pages of the website and personalize the user's experience on the website. If you've ever logged into a website, a cookie kept you logged in across multiple pages.

The cookie process

Let's walk through how a cookie is actually set. (If you're feeling fuzzy on the HTTP protocol, this is a good time to review HTTP & HTML.)

Step 1: Browser requests a website

Imagine a user that navigates to a website for the first time--or at least, the first time from that particular browser. The browser sends an HTTP request to the server that hosts the website.
GET /index.html HTTP/1.1
Host: www.shoopshop.com

Step 2: Server sends cookie with response

The server sends back an HTTP response and includes a Set-Cookie header in that response.
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: sessionId=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
The cookie contains a name (sessionId) and a value (abc123), plus an expiration date for the browser to clear this cookie from its memory.
If it wants to set multiple cookies, it adds more Set-Cookie headers to the response.

Step 3: Browser stores cookie

The browser saves the cookie information, storing it on the user's hard drive. That way, the data will persist even after restarting the browser or computer. That's why this type of cookie is called a "persistent cookie".
There are also "session cookies", cookies with no expiration date which are always deleted when the browser is shut down.

Step 4: Browser sends cookies with requests

When the user navigates to a different page on the website, the browser sends along the stored cookies with each HTTP request.
GET /shop.html HTTP/1.1
Cookie: sessionId=abc123

Step 5: Server personalizes response

When the server receives the HTTP request, it inspects the cookies and sees that this request is coming from a user with a known sessionId. It can then look up that session ID in its database and use any information about the session to personalize the response.

Use cases for cookies

There are many ways a website can use cookies to personalize an experience. A search engine can use them to remember how many results a user prefers seeing per page. A news site can use them to recommend headlines that are similar to the articles you've already read. All sorts of websites can use cookies to track analytics, like how long you spent on a page and which buttons you clicked.
Any website with a log-in uses a cookie to keep you logged in on every page of the site. When you log out of that site, it clears the cookie and doesn't set it again until you login again.
🔍 You can see for yourself what cookies are being sent from a browser to a website by following the steps in this wikiHow tutorial.
Here's a screenshot of a handful of the cookies used by Khan Academy:
The cookies that start with "KA" all help in identifying the current user, and the "_ga" cookie is used by Google analytics.
These are not my account's actual cookies; you should never share your cookies since others could use them to impersonate your account. You should, of course, share any and all chocolate chip cookies. 🍪

Third-party cookies

Each cookie stored by a browser is associated with a domain and path. When you visit a website and its server sends back an HTTP response with a cookie, the browser associates that cookie with the domain of the server. That's called a first-party cookie.
However, a website can also include resources from other domains, like an image, iframe, or script. When the browser requests those resources, their servers can also send back cookies, which will now be associated with their domain. These are called third-party cookies.
A 2016 study found that the average website loaded in about 20 third-party cookies, and the average news site loaded double that amount.
What are they doing with all those cookies? Most third-party cookies are used for advertising. Imagine a user that visits a food blog with a recipe for gluten-free cookies. That blog includes a Facebook ad with a cookie. The user then visits facebook.com and notices a sudden uptick in ads about gluten-free products. That's not a coincidence, that's cookies!
Since third-party cookies serve a very different purpose than first-party cookies and infringe more on the privacy of web users, browsers have made it possible to disable third-party cookies entirely. You can try that yourself following the steps in this HowToGeek article.
🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?