Cookies

What are HTTP Cookies

 Imagine that you went to a coffee shop, ordered a latte, and you were given a glass with a sticker: “Grisha, latte without sugar”. The next time you come – and the barista already knows your taste, does not ask anything and prepares immediately. Convenient? This is approximately how HTTP cookies work on the Internet.

Cookies are small text files that sites leave in your browser. They’re like stickers: “this user is Ivan,” “he likes the dark theme,” “he has headphones in his shopping cart.” Every time you return to a website, your browser sends cookies back, and the website “recognizes” you.

Without cookies, the internet would be amnesiac: you visit a website, log in, navigate to another page, and you’re a guest again. Cookies allow websites to remember who you are, what you’ve done, and where you’ve been. It’s like if the browser kept a notebook with notes for every site you looked at.

Who Invented Cookies and Why

Cookies didn’t appear yesterday. They were invented in the mid-1990s, when the Internet was just beginning to gain popularity. At that time, the web was as simple as possible: each page lived separately, and sites could not “remember” the user from one transition to another.

Netscape (then one of the main forces in Internet browsers) faced a problem: how to give the site the ability to “remember” the user? For example, if you added an item to your cart and then went to another page – what if the site “doesn’t remember” your cart?

This is how the idea of cookies was born. They became the first bricks in the construction of a dynamic and personalized web. Before that, sites were just storefronts. With the advent of cookies, the era of user “recognition” began: personalized greetings, saved settings, and recommendations — all of this became possible thanks to cookies.

Types of Cookies: Not All Are the Same

Now that we know that cookies are like stickers with information, let’s explore the different types of cookies. Not all cookies are created equal.

1. Session cookies, these cookies only exist while the browser is open. Closed the tab – they disappeared. It’s like if you took a number in a cafe, and after leaving it was returned. Such cookies usually store temporary data: for example, authorization on the site or temporary filters in the catalog.
2. Persistent cookies, and here are the long-lived. They are stored for days, weeks, and sometimes – for years. It is they who allow sites to remember who you are, even if you came back a month later. Thanks to persistent cookies, you don’t have to enter a login and password every time or change the language.
3. First-party vs Third-party cookies
   • First-party cookies are cookies of the very site on which you are. For example, you are on the bank’s website, and it stores cookies about your session.
   • Third-party cookies are cookies of third-party sites that are embedded through ads, widgets or metrics. For example, Facebook can insert a cookie on any site where there is a “Share” button – and thus track your activity all over the Internet.
4. HttpOnly, Secure, SameSite, these are not types, but security flags:
   • HttpOnly — the cookie cannot be read by JavaScript scripts (to prevent it from being stolen through XSS).
   • Secure — the cookie is only transmitted over HTTPS, not over open HTTP.
   • SameSite — restricts cookie transmission between sites, protecting against CSRF attacks.

Each of these flags makes the cookie a little less vulnerable, which means that your interaction with the website is a little safer.

What’s Stored In Cookies And What Shouldn’t Be There

Okay, we know that cookies are stickers with information. But what exactly is written there? And is there a risk that someone will write something too personal?

What is usually stored:

• Session ID: so that the site knows that you are you while you surf its pages.
• Login/nickname (but not password!).
• Language or theme settings.
• Preferences, for example, which products you look at more often.
• The contents of the basket.

 What should not be:

• Passwords.
• Card numbers.
• Addresses, passport data.

Why? Because cookies are not encrypted. Anyone who has access to them (for example, a malicious script on a website) can read their contents. Therefore, storing sensitive information in cookies is a bad idea.

Additionally, cookies are a vulnerable point. If they are not used carefully, an attacker can:

• Steal your session and impersonate you.
• Gain access to your administrative account.
• Get information about your habits (in the case of third-party cookies).

Bottom line: cookies are useful. But only if you use them wisely. It’s like with the stickers in cafes: a name is fine, but a card number is too much.

How Cookies Work — Step By Step

Let’s say you visit a store’s website. Here’s what an example scenario looks like in reality:

1. We have entered the website: the server says: “Here’s a cookie for you — user_id=64572;”
2. Opened a new page: the browser automatically sends: Cookie: user_id=64572.
3. Bought an item: the server updated the cookie — now it contains information about the shopping cart.
4. Closed the browser: session cookies disappeared, and persistent remained.
5. Went a day later: persistent cookie is still there, the site you “remembers”.

If it weren’t for cookies, the site would forget you every time, and you would have to re-log in, select a language, restore the basket, etc. 6. Cookies, Advertising And Tracking: From Here And Scandals

And here’s where the interesting part begins. Until now, cookies were seemingly harmless. But then the marketers came into the game.

How it works:

1. You go to the site X, where the ads from the company Y are embedded.
2. The ad block from Y puts you its cookie (third-party cookie).
3. Then you go to the site Z, where there is also an ad from Y.
4. Company Y checks cookies: “Yeah, he was both on X and on Z – probably he is interested in these things.”

This is how you get retargeting — ads that literally follow you around the internet: “Did you look for an iron? Here’s an iron. Iron. Iron. Iron!”

Examples of tracking:

• Facebook Pixel — sets a third-party cookie to know who visits a website.
• Google Analytics — analyzes behavior, clicks, and time spent on a page.
• Ad networks — collect data about preferences for behavioral advertising.

Always bare in mind that cookies can be stolen, in our article you can read more about this.

The problem: Users are often unaware that they are being tracked. And cookies are a quiet and effective tool for surveillance. It is because of this that cookies have been under the magnifying glass of regulators — from public activists to the European Union.

Law And Cookies: Why Now Everyone Warns

You’ve definitely seen it: you enter a website and immediately a banner pops up: “We use cookies! Accept?”

This is not a concern for you. This is the law. The main regulations:

• GDPR (EU) – requires clear user consent for the installation of non-essential cookies (all analytics, advertising, etc.).
• ePrivacy Directive – another European document focused on communication and privacy.
• CCPA (USA) – regulates data collection and transfer in California.

What does this mean for websites:

• You can’t just install trackers without permission.
• You need to explain what cookies are used for and why.
• You need to give users the option to opt out or customize their settings.

How websites do this:

• They actually ask for consent and categorize cookies.
• They use cookie managers like Cookiebot.
• Some websites use a trick: they show a banner but still set cookies. This is called a dark pattern.

The law requires informed consent. But sites often “hide” the “refuse” button or make it unattractive – just so you agree.