Open in app

Sign in

Write

Sign in

Basic Things About HTTP Cookies and How It Works

Sumonta Saha Mridul
6 min readMar 17, 2023

HTTP Cookies

What is Cookie?

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to a user’s web browser.

When you visit a particular website, some information is saved in your local system so that when you visit the same website again, this website is able to recognize you and show you the results according to your preferences. This saved information is called cookie.

How HTTP Cookies Works

Why Cookies are important?

1. When you visit a website, you actually request the web page from the server.

2. For a server, every request is a unique request.

3. So, if you visit hundred times, the server will consider each and every request unique.

4. It is illogical to store every user’s data on the server because a huge number of requests arrive at it.

5. Maybe you never visit again, and the same information will be redundant.

6. So, to uniquely remember you, the server sends the cookies along with the response which is saved in your local machine.

7. Now the next time you hit the same server; you will get a response according to you as the server will recognize you.

Example: Suppose you visit a website which is not in your local language You choose the English option in the language section of the website. Now if you visit the same website 5 times a day, you might have to change the language 5 times. But if there is cookie enabled, next time you send the request, the server will know that you want to see the website in English.

Difference Between Cookies and Caching in HTTP

Can cookies cause harm to you?

As cookies save your information, does it also bring harm for you? The answer is NO.

A cookie cannot be used by any other server as the id saved in your cookie is directly mapped to the website’s database.

A cookie can never be used to access any information saved in your system.

A cookie cannot be used to deliver viruses or any other threats.

Note: If third party website get permission to access to use cookie by the user, they can use it for getting information of that user for their benefits

Types of Cookies

Types Of Cookies

Session cookies

A session cookie only lasts for the duration of users using the website.

A session cookie expires if the user does not access the website for a period of time chosen by the server (idle timeout).

Example: shopping cart on eCommerce websites

Persistent Cookies

Persistent Cookies are stored on a user’s device to help remember information, settings, preferences, or sign-on credentials that a user has previously saved.

If a persistent cookie has its maximum age 1 year, then within a year, the initial value set in the cookie would be sent back to the server every time the user visits the server.

Example: Gmail Login — remember me

First Party Cookies Vs Third Party Cookies

First Party Cookies

As illustrated above, if you visit website a.com and you attempt to access a service from the same domain name a.com, cookies generated will be considered first-party cookies.

Example: Login information, shopping cart items, site preferences, etc.

Third Party Cookies

A cookie is associated with a particular domain and scheme.

Whereas, if you visit a website a.com but that page includes content (image, iframe, etc.) from a different domain name b.com, cookies set by b.com will be considered third-party cookies because they come from a different name than in the URL bar: a.com.

Example: Double-click to show targeted ads to you on multiple other sites you visit, like a news site, a hotel site, or a blog you read.

First Party Vs Third Party Cookies

HTTP cookies

When you send a request to the server, the server sends a reply in which it embeds the cookie which serves as an identifier to identify the user. So, next time when you visit the same website, the cookie lets the server know that you are visiting the website again.

Uses of Cookies

Cookies are mainly used for three purposes:

Session management

Secured interaction between users and app server.

Example: login, auto-fill, shopping carts.

User Personalization

Keeps user preferences and settings saved in the central database.

Users can return to their preferred settings in the next use.

Example: theme, language and other setting

Tracking

Records and analyzes user’s browsing habits.

Example: Ad tracking

How To Check Cookies for a website

HTTP Cookie properties

1. Cookie Scope

The scope of a cookie determines what URLs cookies should be sent to. The scope of a cookie splits into two different attributes:

Domain attribute

Path attribute

Domain Attribute

Domains attributes are “buckets” in which cookies are placed.

Each cookie has unique domain name.

Domain attribute specifies which hosts can receive a cookie.

Example: Domain=mozilla.org

Path Attribute

The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header.

Path=/docs;

If you set Path=/docs, these request paths match /docs, /docs/Web/.
 These requests don't match /docsets

2. Expires and Max-age

Expire: Lifetime of cookie

Example: Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;

Max-age: Expiry date

Example : Set-Cookie: promo_shown=1; Max-Age=2600000;
Servers set cookies using the Set-Cookie header.

3. SameSite Attribute

When clicking a link within a page, your cookies can be sent from the new page you are directed to. This is where the SameSite attribute comes into play. The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests.

1. You type in the URL www.example.com

2. You will receive a first-party cookie

3. On www.example.com, you click a link or button that sends a Fetch request to www.cookie.com.

4. www.cookie.com sets a cookie with Domain=cookie.com

5. www.example.com now holds a third-party cookie from www.cookie.com.

Attributes of same site

A SameSite attribute specifies whether Third Party cookies are sent with three values:

Strict

Restricts cross-site sharing altogether.

Cookies with this setting can be accessed only when visiting the domain from which it was initially set.

In other words, Strict completely blocks a cookie being sent to a.com when a page from b.com makes the request.

Example: Set-Cookie: mykey=myvalue; SameSite=Strict

Lax

Cookies will only be sent when users actively click a link to a third-party website.

All the sites belonging to the same domain can set and access cookies.

None

Allows third-party cookies to track users across sites.

Cookies will be able to be used across sites.

Cookies will be sent in all contexts on both originating and cross-site requests.

Conclusion

Overall, HTTP cookies play an important role in website functionality and personalization, but it is important for both website operators and users to be aware of their potential implications for privacy and security. As technology continues to evolve, it will be interesting to see how cookies and other website tracking tools continue to adapt to changing user needs and preferences.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Https
Web Development
Networking
Internet
Web

Sumonta Saha Mridul
Sumonta Saha Mridul

Written by Sumonta Saha Mridul

86 Followers
24 Following

Strategic thinker with a passion😍 for Software Engineering💻 and a creative Photographer📸 https://sumonta056.github.io/

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech