Web Cookies Crash Course
Cookies are used everywhere on the internet and it’s helpful if we know what they are
Imagine yourself adding a product on your Amazon cart just to find out it didn’t get added or when you log in into your Facebook account just to find out it logged you out after each new page change. These problems are resolved by using cookies. Before cookies, the internet was like a person with short term memory loss. After a click or page change, it might log you out or forget what you were doing.
Web cookies are also known as HTTP cookies. Basically, cookies are small files that store text-based user data. The data can be anything from the user’s location, the language used, the device used, time of visit, likes-dislike pattern, etc. These files are stored in the user’s local machine while the user browses a website. Cookies detect browsing activities and information for many purposes like showing ads, deals, and relevant goods and services.
For example, when you Google search protein shakes benefits, Google’s cookies store this information and it use that to show you protein shake ads on Instagram or YouTube.
Each cookie has its own unique ID. This allows website owners to know it’s you who visited their website multiple times. Cookies detect and monitor our activities on websites like what you searched for, what services/buttons you clicked, or added to the shopping cart. On the next visit, these cookies are used to display the deals, services, and products based on our previous activities. It can also be used to remember login details. Due to their nature, cookies are perfect for advertisement. Cookies are good if websites use them properly or it could mean a breach of privacy.
How Cookies Work
Before we start blaming websites for stealing your information, let’s understand how cookies exactly work.
1. When we visit a website for the first time, the website creates a unique cookie for the user and sends it to the browser along with your response.
2. This cookie is stored on the local machine’s hard drive and is specific for this website.
3. On all the next visits to the same website, the browser sends this cookie to the servers on every call.
4. The server edits this cookie according to user actions on the website.
5. The new cookie is then sent to the browser and replaces the old version cookie.
6. This cycle repeats every time when you visit/perform some activity on this website.
7. By reading this changed cookie, the browser loads new products, posts, blogs, or services that are specifically targeted based on your previous interest.
Types of Cookies
Different cookies are used to perform different operations.
Persistent Cookies
These cookies are stored on the computer’s hard drive and store user preferences. These cookies remain on the local machine as long as the user allows it (or manually deletes them). These cookies are updated constantly whenever a user triggers some activity on the website. For example, when you click on the “Remember Me” button during login, it creates a persistent cookie that stores login information on your browser.
Session/Transient Cookies
These cookies are stored in the computer’s memory and contain the session ID of the user login. This cookie is deleted as soon as the browser is shut down which makes them less of a security risk. For example, when we change different pages of amazon, session cookies allow us to stay logged-in in the same session rather than logging you out repeatedly for every new page.
Third-party Cookies
These are cookies that are created by the sites which you are not visiting. Third-party cookies are based on third-party APIs/plugins used on a website you are on. For example, let’s say you are reading something on BuzzFeed (main website) and they have a Facebook (third-party website) share button on that blog post. If you click on it, a third-party cookie will be generated that is associated with Facebook and not BuzzFeed.
Real-World Applications
- Get a count of unique customers who visits a website.
- Location details that can be used to focus on area wise targeted ads.
- Show relevant products, deals, etc., personalizing the website experience based on customer activity.
- To improve the user experience of the website
- To store the login details etc.
Risk Associated with Cookies
Every coin has two sides. Cookies can be used for good as well as bad purposes. They might risk your privacy or personal data. We will discuss some of the well-known security issues with Cookies.
Cross-Site Scripting (XSS)
A malicious cookie is sent to legitimate websites on a user’s visit disguised as it belongs to the legitimate website.
Session Fixation
Users will be given an attacker’s cookie that contains the attacker’s session ID. Attackers can disguise users to act as attackers on various application levels.
Cross-Site Request Forgery Attack (CSRF)
An attacker sends a malicious cookie to a user’s browser to attack a legitimate website. The next time when the user visits the website and sends the cookie to the servers, the website would believe the malicious actions are initiated by the user.
Cookie Tossing Attack
A malicious site provides a cookie to the user which acts as it belongs to the targeted website’s subdomain. When a user visits a targeted website, all cookies are sent to the website along with malicious cookies. This cookie affects the contents of other cookies and performs malicious actions.
For more information on risks associated with Cookies, refer to these blogs on Cookie Attack and Cookie Guide.
How to manage Cookies for better security
Completely relying on the developers to do the right thing with cookies can be risky. A good thing is, we can control cookies in our browsers to some extent. We can decide which cookies to allow or block. We will discuss two easy options on how to control cookies. See the link to get more In-Depth Guild.
Option 1: Create a Cookie Control Policy for Your Browser
Every browser provides options that can be used to manage the cookies. The below description is for Chrome. However, all the browsers have similar functionality with minor changes.
1. Open Settings from the main menu in your browser.
2. Navigate to the “Privacy and Security” section and click on “Site Settings”. Click on the “Cookies and Site Data” tab.
3. You can also directly open it by searching “Cookies” in the search bar at the top and open the tab.
4. As the name suggests, we can allow or block cookies for all websites, clear cookies on every restart or block third-party cookies.
5. We can manually block, allow, or clear cookies for specific sites as shown in the above figure.
Option 2: Use a Cookies Management Extension
Browser Extensions/Add-ons provide additional functionality to the browser beyond the built-in features. There are many extensions that can be used to edit and manage cookies. To install extensions in Chrome,
1. Open Chrome Web Store or extension store for your browser
2. Search “cookies”
3. This will give a list of cookie-related extensions. Install the current highest rated extension.
A good extension to get started is “EditThisCookie”. This allows you to see the cookies stored in the browser and block, delete or edit them on the fly. It can also be used to read the cookies and their structure.
There are no limitations on what the size of a cookie should be. However, according to the Request for Comment (RFC) 2019 standards, if the cookie size is less than 4093 bytes, it will be supported by all the browsers. Some browsers can support a bigger size of cookies, but to make it safe 4093 bytes is the recommended size. Similar to the size limitation, there is no specific limitation on how many cookies a browser or a website can have. However, a safe estimate is 30 to 50 maximum cookies per website domain that can be used.
If you found this article helpful, make sure you like, subscribe, and share it with people who might be interested. If you think anything is confusing or incorrect please let me know by commenting down below and I will try my best to answer it.
Thank you for reading the article.
