Basic Things About HTTP Cookies and How It Works
What is Cookie?
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user’s web browser.
When you visit a particular website, some information is saved in your local system so that when you visit the same website again, this website is able to recognize you and show you the results according to your preferences. This saved information is called cookie.
Why Cookies are important?
1. When you visit a website, you actually request the web page from the server.
2. For a server, every request is a unique request.
3. So, if you visit hundred times, the server will consider each and every request unique.
4. It is illogical to store every user’s data on the server because a huge number of requests arrive at it.
5. Maybe you never visit again, and the same information will be redundant.
6. So, to uniquely remember you, the server sends the cookies along with the response which is saved in your local machine.
7. Now the next time you hit the same server; you will get a response according to you as the server will recognize you.
Example: Suppose you visit a website which is not in your local language You choose the English option in the language section of the website. Now if you visit the same website 5 times a day, you might have to change the language 5 times. But if there is cookie enabled, next time you send the request, the server will know that you want to see the website in English.
Difference Between Cookies and Caching in HTTP
Can cookies cause harm to you?
As cookies save your information, does it also bring harm for you? The answer is NO.
A cookie cannot be used by any other server as the id saved in your cookie is directly mapped to the website’s database.
A cookie can never be used to access any information saved in your system.
A cookie cannot be used to deliver viruses or any other threats.
Note: If third party website get permission to access to use cookie by the user, they can use it for getting information of that user for their benefits
Types Of Cookies
Session cookies
A session cookie only lasts for the duration of users using the website.
A session cookie expires if the user does not access the website for a period of time chosen by the server (idle timeout).
Example: shopping cart on eCommerce websites
Persistent Cookies
Persistent Cookies are stored on a user’s device to help remember information, settings, preferences, or sign-on credentials that a user has previously saved.
If a persistent cookie has its maximum age 1 year, then within a year, the initial value set in the cookie would be sent back to the server every time the user visits the server.
Example: Gmail Login — remember me
First Party Cookies
As illustrated above, if you visit website a.com and you attempt to access a service from the same domain name a.com, cookies generated will be considered first-party cookies.
Example: Login information, shopping cart items, site preferences, etc.
Third Party Cookies
A cookie is associated with a particular domain and scheme.
Whereas, if you visit a website a.com but that page includes content (image, iframe, etc.) from a different domain name b.com, cookies set by b.com will be considered third-party cookies because they come from a different name than in the URL bar: a.com.
Example: Double-click to show targeted ads to you on multiple other sites you visit, like a news site, a hotel site, or a blog you read.
HTTP cookies
When you send a request to the server, the server sends a reply in which it embeds the cookie which serves as an identifier to identify the user. So, next time when you visit the same website, the cookie lets the server know that you are visiting the website again.
Uses of Cookies
Cookies are mainly used for three purposes:
Session management
Secured interaction between users and app server.
Example: login, auto-fill, shopping carts.
User Personalization
Keeps user preferences and settings saved in the central database.
Users can return to their preferred settings in the next use.
Example: theme, language and other setting
Tracking
Records and analyzes user’s browsing habits.
Example: Ad tracking
HTTP Cookie properties
1. Cookie Scope
The scope of a cookie determines what URLs cookies should be sent to. The scope of a cookie splits into two different attributes:
Domain attribute
Path attribute
Domain Attribute
Domains attributes are “buckets” in which cookies are placed.
Each cookie has unique domain name.
Domain attribute specifies which hosts can receive a cookie.
Example: Domain=mozilla.orgPath Attribute
The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header.
Path=/docs;
If you set Path=/docs, these request paths match /docs, /docs/Web/.
These requests don't match /docsets2. Expires and Max-age
Expire: Lifetime of cookie
Example: Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;Max-age: Expiry date
Example : Set-Cookie: promo_shown=1; Max-Age=2600000;
3. SameSite Attribute
When clicking a link within a page, your cookies can be sent from the new page you are directed to. This is where the SameSite attribute comes into play. The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests.
1. You type in the URL www.example.com
2. You will receive a first-party cookie
3. On www.example.com, you click a link or button that sends a Fetch request to www.cookie.com.
4. www.cookie.com sets a cookie with Domain=cookie.com
5. www.example.com now holds a third-party cookie from www.cookie.com.
A SameSite attribute specifies whether Third Party cookies are sent with three values:
Strict
Restricts cross-site sharing altogether.
Cookies with this setting can be accessed only when visiting the domain from which it was initially set.
In other words, Strict completely blocks a cookie being sent to a.com when a page from b.com makes the request.
Example: Set-Cookie: mykey=myvalue; SameSite=StrictLax
Cookies will only be sent when users actively click a link to a third-party website.
All the sites belonging to the same domain can set and access cookies.
None
Allows third-party cookies to track users across sites.
Cookies will be able to be used across sites.
Cookies will be sent in all contexts on both originating and cross-site requests.
Conclusion
Overall, HTTP cookies play an important role in website functionality and personalization, but it is important for both website operators and users to be aware of their potential implications for privacy and security. As technology continues to evolve, it will be interesting to see how cookies and other website tracking tools continue to adapt to changing user needs and preferences.
