HTTP cookies (also called internet cookies, web cookies, or browser cookies) are small data blocks generated by a web server as users browse a website.
A user’s web browser places these HTTP cookies on their computer or other device used to access a site. More than one cookie can be placed in a session.
When Should You Use An HTTP Cookie?
Cookies provide useful and sometimes crucial web functions. For instance, they allow web servers to collect stateful data (e.g., items added to a shopping cart in an online store) on the user’s device or track the user’s browsing activity (including logging in, clicking specific buttons, or recording pages visited before).
Site builders can also use HTTP Cookies to save information such as a user’s entering form fields (e.g., names, passwords, payment card numbers, and addresses) for future use.
The 5 Types of HTTP Cookies
Web servers commonly use authentication and tracking cookies:
Authentication cookies attest that users are logged in and with which account they did so. Without these cookies, users would have to authenticate by logging into every page containing sensitive that they want to access.
Therefore, an Authentication cookie’s protection against security vulnerabilities (e.g., attackers attempting cross-site request forgery or cross-site scripting) depends on the security of a website issuing the cookie and users’ browsers.
Tracking cookies, and particularly third-party tracking cookies, are used to collect long-term records of people’s browsing history. European law now requires all websites targeting EU member states to obtain users’ “informed consent” before storing non-essential cookies on their devices in response to privacy concerns.
Additional Cookies:
- Session cookies: Exist only in temporary memory as users navigate a site and are deleted or expire when the web browser is closed.
- Persistent cookies: Expire at a specific date or after a certain length of time.
- Secure cookies: Can only be transmitted over an encrypted connection (i.e., HTTPS), not over unencrypted connections (i.e., HTTP).
- HTTP-only Cookies: For safety reasons (e.g., against XXS attacks), client-side APIs cannot access them, such as JavaScript. However, the cookie is still vulnerable to XST and CSRF attacks.
- Same-site cookies: Involve browsers sending cookies to target domains dependent on a Strict, Lax, or None value setting.
- First-party cookie: Cookie’s domain attribute matches the domain shown in the web browser’s address bar.
- Third-party cookie: Cookie’s domain attribute belongs to a domain different from the one shown in the address bar (e.g., content from external sites like banner ads).
Cookie wall: Pops up on a site and informs users of the website’s cookie usage. It has no reject option, and the site is not accessible without tracking cookies. However, in 2020, the European Data Protection Board, composed of all EU data protection regulators, stated that cookie walls were illegal. Also, according to the GDPR and e-Privacy Directive, consent to cookies has to meet several conditions, including that they must be given freely and unambiguously – a reject-all button must be “as easy to withdraw as to give.” In other words, a reject-all button must be as easy to access in terms of clicks and visibility as an ‘accept all’ button.”
