Cookie

Share

A cookie is a small piece of data that a website gives your web browser that your web browser sends back to the website every time you access a web page. A common function of cookies is to keep track of what a visitor did on the website.

The reason cookies exist is that, in principle, when you access a URL, the website has no way of knowing if it's your first time accessing that URL, or what other webpages you accessed before. Each URL access is separate and there's no state kept across accesses. This means access the same URL should give you the same webpage every single time. This sounds good at first, but it's not what we want, actually.

Many websites allow users to create accounts and log in. If accessing the same URL gives you the same web page every time, and the web page "create an account to post" the first time you access it, it will keep saying that, forever, even if you create an account, because it has no way of knowing if you created an account or not. One way to solve this would be to have separate URLs. Perhaps /article and /article-for-users-logged-in. Naturally that's a terrible idea, specially if you have hundreds or thousands of articles.

The solution web developers came up with was cookies. Every time you access a URL, your web browser sends the cookie it got from that website back to the web server. So, for example, if there's no cookie, the web server treats you as an user without an account. And if you create an account or log into your account, it gives your web browser a cookie and the next time you access a URL it will treat you as an user with an account.

Cookies aren't limited to that. For example, if a website shows a popup for first time visitors, it may set a cookie when you close the popup. The next time you access the website, it will know you already saw the popup, so it won't show it again. Some websites may work the opposite way: if you read more than 3 articles, the website may not let you read more articles unless you create a free account. This could be implemented with cookies, but a better way could be by recording your IP address instead. That's because you can get rid of your cookies.

If your web browser has an "incognito" or "anonymous" mode, like Chrome and Firefox, that's a mode that starts a web browsing session without any cookies. It's as if you had never accessed any website before. Any website you were logged in before, you won't be logged into them anymore because you won't have the cookie you need for the website to recognize you. You will be "incognito" in this sense. Of course, if you log in, then you'll get a cookie just as normally, and to get rid of it you'll need to close the incognito window and start incognito mode over again. Well, actually you don't really need to go that far. The web browsers have ways to let you delete your cookies without having to open an incognito mode or anything of sort.

What is in a cookie? The data in the cookie is sent (uploaded) to the website every time you access a web page, consequently, the cookie itself needs to be extremely small in size. What websites typically do is that they generate a temporary file for every visitor, logged in or not, called their "session." They generate a temporary random username and password to access this session file, and put both username and password into the cookie that's sent to the web browser. This way every time you access a URL, the web browser only gives the web server the temporary username and password to access the temporary session file. When the visitor logs in or does something that needs to be recorded, instead of writing more data to the cookie, the web server writes the data to the visitor's session file. That way the size of the cookie remains very small no matter how much data is associated with it.

As a technical rule, cookies are isolated by domain. This means that if www.example.com sets a cookie, that cookie is only sent to the web server when you access a URL on www.example.com. If you access a URL on forum.example.com, the cookie won't be sent. This means that cookies that your browser gets from one website generally can't be accessed by another website because they will not be sent to this other website.

However, there's one caveat: when accessing one webpage on one website, you may actually be accessing two web servers on different domains at once.

That's because, technically, it isn't strictly true that cookies can be every time your browser accesses a web page. The correct is that a cookie can be set every time your browser makes a HTTP request to a URL. As it turns out, accessing a web page is only one of such times. A web page often contains other resources, on separate URLs, that need to be downloaded (requested) separately. This includes images, CSS stylesheet files, javascript files, videos, embedded widgets, and a lot more.

When a website has a Facebook "like" button, for example, that's a resource that's coming straight from Facebook's web servers. If you are logged into Facebook, the BUTTON KNOWS THAT YOU ARE LOGGED IN. The Button KNOWS your Facebook account, because it comes from Facebook. The button IS Facebook. Even if you aren't logged in, there's nothing stopping the button from setting a cookie.

These "tracking cookies" end up tracking you on every site you visit. Every time you visit a website with a Facebook button, Facebook may update your session file, adding that new URL you accessed to its nefarious tracking database. Or it might not. We have no way of knowing if it's doing that or not, but we do know that the data is being sent anyway because browsers are designed to send this data. That's just how the internet works.

And they don't need to be buttons. They could be ads. But they also don't need to show up on the page. It could be something your browser downloads in the background that just gives you a ton of cookies and you never notice.

One common case for this are third-party web analytics tools, like Google Analytics. This tool provides webmasters with a lot of data about you, or rather, a lot of data about who visits the website. Things like which country you came from, what browser you're using, what size is your screen, and, with some setup, which buttons you click when you use the website. This data helps webmasters figure out how to optimize their websites and where to focus their resources, or, in some cases, just how many people visited a web page. That could be all they care about at all. It's a free tool so everyone uses without a second thought about the fact that Google is getting all this data about everyone on the internet. Who knows what's written in their ToS? I don't. I haven't read it.

Modern legislation like the GDPR attempted to fix this issue by making websites disclose what data they keep on you and what data is being sent to third parties like Google and Facebook. When one of the infamous cookie banners asks a visitor if they want to accept the cookies, they'll say no, because... why would they say yes? What's in for them? If the cookies may help the site make more money and reach their business goals better in some vague way... why would the visitor want help with that? Most visitors don't care about the websites they're visiting, specially if they don't have an account on that site, so most cookie banners get a "no" as an answer.

Awkwardly, an effect of this legislation was that the term "cookie" entered the vernacular of average internet users as some sort of evil digital contraption through which internet ad companies track your every move and disrespect your privacy, rather than what they actually are, which is a way for websites to track you anyway, but that's not necessarily evil, it's just that websites can't remember who you are if they don't keep track of you, so tracking is kind of necessary, tracking isn't a bad word, it's the session file they keep on you on their servers and nobody knows what's in it that could be the real problem.

Comments

Leave a Reply

Leave your thoughts! Required fields are marked *