What is a browser cookie?

Posted March 28, 2022 by Angus

A browser cookie, also known as web cookies, tracking cookies, and HTTP cookies, are small files, usually made up of letters and numbers. That is placed on a user’s computer by software, specifically the directory of a web browser.

Generally, cookies are a harmless tool. Used in web development to improve the experience for end-users, by adding memory, authentication, and tracking.

However, in the past, certain cookie types persisted outside the browser subfolder. This alongside other security concerns and numerous abuses led to the discontinuing of the overall governing application.

Fear not…

Internet regulations exist to provide a safety net against abuses, and legislation on how websites and applications across the internet utilize user data, in particular tracking cookies. Legislation enforcement can lead to large penalties for those found in breach of regulation.

It’s also necessary to inform users how data, collected from them, will be utilized. Also, allowing users to opt-out of data collection methods that are not strictly necessary for website function.

Table of Contents

Cookie types & usage

Cookie usage in browsers is generic across many browser applications, across the internet cookies usage is prevalent, enabling, and improving upon existing sites and web applications.

The naming convention may be different from site to site but generally, cookie types include:

Also known as strictly necessary, these enable critical website functions without them, the website would not work.

First-party or performance cookies enable a variety of different features, including user activity tracking. This in turn allows website owners to have a better understanding of user activity and thus, can work to improve those website features.

These also enable personalization features, including saving of information that aids website use. These can include language, location, and user information.

Belong to a domain different from the one the user is currently viewing, hence “third-party”. They have come under scrutiny in recent years due to their cross-site, all-encompassing nature.

They enable large data-driven organizations to better personalize and tailor user experience via customer segmentation. With the overall aim of better marketing products and services based on user habits across potentially billions of interactions and touchpoints (depending on the organization’s size and influence).

Certain display advertising widgets are a good example of third-party cookie usage. You may have noticed that after looking at a certain brand of shoes or a new product that these widgets alter to match that “interest”.

Session Cookies

A session cookie enables a variety of different website functions. They can save information pertaining to a user’s page activities, thus, aiding ease of use.

By allowing users to pick up where they left off, a user browsing multiple sites at once will not lose any progress, providing the browsing session remains open.

A session cookie can improve security. After a session ends, session cookies expire, removing the remaining data. Many websites utilize session cookies to provide more privacy and secure PII from less, a less secure attribute.

Without a session cookie, web pages would have no memory of this information and the user would need to start the process again.

  • Online Banking – Session cookies enable a user to remain logged for the duration of the browser session. Online banking is notoriously secure; it has to be. That means that logging might require 3 different authentication steps, having to re-enter these more than once over the cause of one session would negatively impact the user experience.

Persistent Cookies

Unlike a session cookie which expires when the browser closes, persistent cookies remain on a user’s device for a set time, known as the expiry time.

For most websites, persistent cookies greatly improve the user experience; arguably more than sessions cookies. For a user, having a persistent cookie means if there is any interruption to the customer journey, they can return.

On the condition, the cookie has not expired and is valid. For e-commerce, operators, this has the added benefit of increasing the likelihood of a sale.

This allows storing data regarding user preferences, including any layout customizations for that website or app. Similarly to session cookies, persistent cookies mainly improve upon user experience, for example:

  • User logins – A website’s servers use cookies to authenticate a user, enabling access to a secure area on that website without the need to re-enter login information.
  • Shopping carts – Cookies can be used to save the contents of a user’s shopping cart for future use.

What is a Flash or Zombie Cookie?

Flash was once a popular tool in website development that enabled extended website features. As of January 12, 2021, there is a block on flash content by default in your web browser.

  • A flash cookie or “supercookie” unlike an HTTP cookie usually persisted indefinitely. Independent of the web browser, they’re arguably more difficult to remove for an average user.
  • A zombie cookie is similar but more malicious. This is because it automatically re-creates itself after deletion. These third-party cookies can track individual user browsing history and even enable access control through bans.

Managing Cookies

Although consent is a requirement for the majority of cookies, there are 2 exemptions. Most notably, strictly necessary cookies, are essential to fulfilling user requests. Without these cookies, a website would not function correctly.

However, most browsers allow removing or disabling of these cookies directly. To disable cookies in Google Chrome:

  1. Firstly, open the settings menu by clicking the icon with 3 dots in the top right of your browser.
  2. Now, in the settings area, click on security and privacy and then “Cookies and other site data”.
  3. Finally, under general settings, you can pick your configuration.
What is a browser cookie?
Cookie settings

You can also view & delete cookie files from a web browser’s user data cache. If you’re using Google Chrome on Windows, cookies by default are here:

C:\Users\%username%\AppData\Local\Google\Chrome\User Data

To comply, many websites utilize consent forms, typically appearing as a banner or pop-out. From here, a user can immediately consent to cookie usage or alter cookie settings.

Cookie consent banner
Consent banner

Within the consent banner, a user may alter the site’s cookie settings to conform with their preference and consent. Each cookie type labelled describes clearly what it is, including its features and capabilities.

Cookie consent details pop-out
Consent details pop-out

Security & Privacy Fist

When it comes to cookies, there are important regulations to consider.

  • GDPR or UK GDPR – General Data Protection Regulation governs data usage across the UK via its seven key principles. To learn more about GDPR, visit the ICO website.
  • PECR – The Privacy and Electronic Communications Regulations or PECR provide specific rights regarding electronic communications, including cookie usage. This regulation applies to cookies, even with anonymized information.

Compliance with PECR requires that users must:

  1. Be made aware that cookies are used on the website or that the web server creates cookies on behalf of third party sites.
  2. Be provided with an explanation on both how and why cookies are used so that the user fully understands prior to consent.
  3. Fully consent to the storing and usage of cookies on their device.

Not so dissimilar to cookie tracking, device fingerprinting is a well-documented technique, that utilises multiple data points to create a unique fingerprint. Fingerprinting is arguably more accurate & reliable than cookies because of the multiple sources required to establish a fingerprint. As it can be used to determine a user’s actions, consent must be obtained prior to the usage of device fingerprinting.

Although consent is a requirement for the majority of cookies used, there are 2 exemptions. Most notably, strictly necessary cookies are defined as essential to fulfilling user requests. Without these cookies, a website could not function correctly.

Categories:
Security