What Are Browser Cookies - The Ultimate Guide 1,413 Views
What are Cookies?Web browsers create simple text files called cookies when you visit web sites on the internet. Your device stores the text files locally allowing your browser to access the cookie and pass data back to the original web site.
And what they are notInternet Cookies are not programs or viruses and do nothing on your computer/device by themselves. Cookies simply store information with the aim of improving your web experience and help speed up the internet.
Why does my Browser create Cookies?Web sites you visit or providers of advertising banners on the page you are viewing can tell your browser to create a cookie. They create the cookie to hold data about you, keeping track of your activity and preferences. The aim is to improve the web site and perhaps speed up your experience by not needing to ask for the same information multiple times.
What do web sites do with this information?Typically web sites store basic information such as the web sites name and your user id. A web site can then use he stored data to retrieve your preferences when you next visit. They may also record other information about your activity. For example, the storing of your search queries. This information is then used to present targeted adverts.
Should I worry about Cookies on my device?Some people consider the cookie to be a simple, harmless tool designed to make your life easier. Remember it is only a simple text file and by itself can not do your device any harm.
Others look at internet cookies as if they were evil and intrusive spying mechanisms, tracking your every move on the internet.
What do you think, good or bad?• Harmless text file . . .
• Intrusive spying tool . . .
• Or simply misunderstood?
• Let’s find out . . .
Are all types of Internet Cookie the same?The internet cookie has many names and aliases which can all add to the confusion over what they are. HTTP, Web, Computer or Browser can be placed in front of the “cookie” name. They all relate to the same simple text file used to store information.
Other terms, such as transient or persistent, can be used to refine how the text file is stored. There are then variations such as Secure Cookies or Third-Party Cookies which behave a little different.
There are other even more exotic types…The Flash Cookie and the Zombie Cookie are very different creatures, raising concerns around privacy. I will explain each type later and why you may want to try and avoid some of the more exotic versions.
Why are Cookies called Cookies?
|The term “Cookie” is a strange name to give to a small text file. There are many different stories about where the cookie name came from. The browser cookie concept can trace its beginnings back to Netscape Communications in 1994. A programmer called Lou Montulli had the idea of using a text file to store information. This file would store purchases on each user’s local computer as a way of creating a virtual shopping cart.|
Further back in history the mystery begins :The true beginnings of the term “cookie” are quite hidden. Here is a selection of the most popular origin stories. Read through them and vote for the one you like best and if you have any other internet cookie stories, then leave a comment.
The Hansel and Gretel Cookie Theoryome people believe the name for internet cookies came from the fairy tale about two children called Hansel and Gretel. The children were able to mark their trail through a dark forest by dropping “cookie crumbs” behind them so that they could see where they had been. I think this story paints a nice picture of that ability that internet cookies have to track your activity.
The Cookie Monster Easter EggAfter a clever programmer left his company, strange things began to happen. Every so often, the computer system would completely stop and the screen would display a message: “Gimme a cookie”. The system would not return to normal until the operator entered the word “cookie” into the system. The root cause was well hidden in the code and could not be found or removed without a complete rewrite. It was decided to leave the code in place and train users to “give the machine a cookie”!
The Magic Ticket CookieThe “Magic Cookie” is another internet cookie story that I came across. Programmers used the name magic cookie to refer to a token or a short piece of data that passed between programs. The contents of this cookie file could not be seen and would not usually be accessed until the a program had passed the file back to the sender at a later time. The file is often used like a ticket to identify a particular event or transaction. Sounds similar to the browser cookies we know today.
The Chinese Fortune CookieSome people may have heard of the Fortune Program from large Unix systems. At startup the system would present a new quote, joke or general information to the user who was logging in. The information was stored in what was called a “cookie file”. Local administrators often changed the file to add their own personal statements. So did the internet cookies we know today get their name from this Unix program?
Are there any Security Concerns with Cookies?Internet cookies by themselves are safe. They simply store information that you have entered or they receive from your browser. That information is only available to the web site that you were visiting.
But, there is a but :
It is possible for them to be used for malicious purposes. They can be used as a form of spyware. There are many anti-spyware packages available. Some of them will list certain internet cookies as potential threats. All browsers have built in privacy controls now days. These controls can provide levels of cookie acceptance, retention time, and disposal. Backing up your computer can give you the peace of mind that your files are safe.
So what Risks do Cookies present to me?Cookies are not programs as they can not do anything by themselves. They simply act as a temporary storage space on your local device. A text file cannot gather any information by itself. It is not able to collect any personal information from your machine. These text files can be viewed through a simple editor although normally they are encrypted to help protect your personal information.
Cross-Domain Theft – What is it ?Each file can only be accessed from the internet by the original web site that created the file. This is a key security feature built into every browser. This security concept is referred to as Same-origin Policy and is integrated into every web application’s security model. In principal a web browser will allow a script in one web page to access data in a second web page only if both web pages are from the same origin i.e. the same web site domain. This helps to protect your computer and personal data from cross-domain data theft. The term cross-domain is where one web site domain tries to read the information created and stored by a different web site domain. Preventing cross-domain access ensures that web site abc.com can not read a cookie that was created by web site xyz.com.
What about Viruses?Internet cookies do not have viruses in them. They are not capable of installing malware onto your device. So you don’t need to worry that some weird cookie will carry a virus and spread problems on your device.
But then again - there are Tracking Cookies!
Tracking Cookies can store long-term details of your browsing history and patterns. These often take the form of third-party tracking cookies. This long term storage of your activity does raise serious privacy concerns. It encouraged European and US governments to take action during 2011. Cookie Law is a topic that is growing and I will be writing an articles to discuss how the new EU cookie directive effects web sites. EU Law coming soon.
What types of cookies are there?Hopefully we now have an understanding of what cookies are used for. Lets us now look at the different types of internet cookie and their use. There are two main types of file. One is a session cookie and the other is a persistent cookie. Both have a different roles to play. Lets read a little more and understand the differences.
• Session Cookies :
|A session cookie, also known as a transient cookie, is stored in temporary memory and remains available for the duration of your active “session” within the browser. When you close your browser it is automatically removed from memory. On your next visit to the web site, you will not be recognized and will therefore be treated as a completely new person. This is because there is nothing in the browser to let the web site know you have previously visited.|
• Short-term Cookies Play Nice :
This type of cookie can allow a web site to keep track of your movement from page to page within that web site during an active session. This helps ensure that a web page does not ask for the same information multiple times. This is beneficial as it negates the need to login multiple times as you navigate from one page to the next. Session cookies do not collect information about the user, but typically store data in the form of a unique identifier that does not personally identify you. They are never written to the hard drive. Often they are set to become invalid after a time period of inactivity.
• Persistent Cookies :
|A persistent cookie, also known as a stored cookie, is a file that is stored on a user’s computer or device. This is the type of cookie most people are familiar with. These text files are created and stored on your hard drive. The file would remain on the device until it reaches its expiration date. At this point the browser would purge the cookie from the hard drive. On every subsequent visit to the web site the browser will send the cookie file back to the web site. Because a cookie’s information can uniquely identify a client, it can indicate how the user initially came to this web site. For this reason, they are also sometimes referred to as tracking cookies.|
So why have them?The benefit of a persistent cookie is that it can result in faster and more convenient access as it can store login details that remove the need to login on each visit to the web site. In addition to authentication, other web site features are possible through the use of the persistent cookie such as; menu preferences, preferred theme, language selection or even internal site bookmarks. On your first visit, the web site is presented in default mode. During this time, you select your preferences and they are remembered, like a session cookie. But they persist from session to session. An expiration date is added which is issued by the web server to the text file. In some cases, persistent cookies are set for very long time frames. These can also help a webmaster find out who is a new viewer and who is a returning viewer.
Secure And HTTP Only Cookies
Third-party cookies are files that have been written onto your device by a web site that is different from the web site you are actually visiting. The word “party” helps clarify this idea as it refers to the actual domain or web site that places the cookie onto your device.
Let’s consider the term ”party” . . .
No – it’s not about having a good time . . .
It refers to who is actually creating the cookie
Third-Party Cookie Example
You visit www.abc.com and a cookie is created by the web site. The domain of that cookie would be “abc.com”. This is what we would call a First Party Cookie as the cookie was created by and belongs to the web site you visited. Let’s consider visiting www.abc.com again, but this time it has an advertising banner on its page owned by “adverts.com”. Now when you visit www.abc.com the banner ad creates its own adverts.com cookie and places it on your device. This new cookie has the domain of “adverts.com” because the banner ad was loaded into your browse from adverts.com. This is a third-party cookie as the cookie created belongs to a different web site from the one you were actually visiting.
Why would they do this?Let’s say you go to a new web site called www.xyz.com. They also happen to have a banner ad by the same organisation, adverts.com. The cookie previously created by adverts.com when you were on the first web site (www.abc.com), can now be opened and read by adverts.com and read where you had previously been. This allow Advertiser.com to track your activity.
How are Third-Party Cookies createdA third-party cookie can be created if the web page you are opening loads ANY content from another web site/domain. By simply having a piece of content such as an advert from a different site loaded on the web page you are viewing, you are granting permission for that different site to create its own cookie on your device.
Who uses Third-Party CookiesSome advertisers use third-party cookies to track your visits to various web sites on which they advertise. Many major web sites track their visitors’ behavior and then sell or provide that information to other companies. Tracking is a term that includes many different methods that web sites, advertisers and others use to learn about your web browsing behavior. This includes information about what sites you visit, things you like, dislike and purchase. They often use this information to show ads, products or services specifically targeted to you.
How do Third-Party Cookies workYou visit domain www.Interesting.com, the web pages on that domain may feature content from a third party domain. For instance, there may be an advertisement run by www.Advertiser.com showing graphic advert banners. When your web browser asks for the banner image from www.Advertiser.com, that third party domain is allowed to set a cookie. Each domain can only read the cookie it created, so there should be no way of www.Advertiser.com reading the cookie created by www.Interesting.com. So what’s the problem?
What if Advertiser.com is on LOTS of web sites?Some people don’t like third-party cookies for the following reason. Suppose that the majority of sites on the internet have banner adverts from www.Advertiser.com. Now it’s possible for the advertiser to use its third-party cookie to identify you as you move from one site with its adverts to another site with its adverts.
But they don’t know who I am!Even though the advertiser from www.Advertiser.com may not know your name, it can use the random ID number in the cookie to build up an anonymous profile of the sites you visit. Then, when it spots the unique ID in the third-party cookie, it can say to itself: “visitor 3E7ETW278UT regularly visits a music site, so show him/her adverts about music and music products”.
Privacy RiskA survey in the USA found 84% of people outraged by the idea of advertising companies building up profiles about their browsing habits, even if in some cases the profile might be anonymous? Reports and research on the subject of web site tracking tell us that the rejection of third-party cookies is growing. Increasing numbers of people are trying to stop and block them, or at least trying to delete their cookies regularly.
The Infamous Flash CookieFlash Cookies (aka “Super Cookies“) are unlike typical internet cookies. Flash cookies are different because they are independent of the browser. Written by Adobe Flash they are designed to be permanently stored on your computer. A Flash Cookie could be created when you visit any site that uses Flash on its pages.
So What is a Flash Cookie?Adobe use the term Locally Shared Objects (LSO) to refer to flash cookies. When you open a web site that is running Flash, you allow Flash to create one of these Shared Objects. Every subsequent visit to any web site running Flash and the locally shared object, in other words our flash Cookie, can be accessed again. This is a type of Super Cookie as it has super powers that allow it to remain on your device even after you have removed all cookies from your browser! It is also able to cross domains, being created in one place and read in a separate domain. This raises security concerns.
Flash Cookies vs HTTP Cookies.Regular computer cookies are browser based. This means you can easily remove them via browser tools. Super cookies are more difficult to detect and remove from your device because they will not be deleted in the same way. They are designed to function in the same manner as regular cookies, storing details about browsing history, personal preferences, authentication details or ad-targeting data. However, they are also designed to not be removed from your device therefore being able to store weeks or even months worth of data. This data can extend to your location, time zone, photographs, text from blogs, shopping cart contents and even e-mails.
Flash Cookie ConcernsMost alarming is the fact that many web sites are not up front about using Flash technology on their site. You are therefore not aware of the possibility that your data may be tracked. The issue of super cookies is a difficult one to deal with. As technology moves forward there will be measures created to deal with them, but flash cookies are not the product of a criminal individual. They are created and maintained by large corporations who collect this data in an effort to better understand and serve their customer base. No matter which side of the cookie debate you’re on, the next time you visit a flash enabled site you’re likely allowing a cookie into your computer that will collect and transmit data. One of the aspects that makes this type of file so special is its ability to be triggered each and every time you visit any site with Flash enabled. Unlike normal internet cookies that are restricted to a single domain, this type of cookie can interact with multiple web sites and therefore collect data as you navigate from site to site.
How do Flash Cookies work?Normal HTTP cookies can’t save more than 4 Kilobytes of data while Super Cookies can save up to 100 Kilobytes. Sometimes the reasons behind a Flash Cookie is to allow for the creation of two cookies on the user’s machine. 1. A standard http cookie that the user can erase. 2. A flash cookie that the user most likely is not aware of because the existence of these flash cookies are not well known. This practice is very deceptive because by deleting cookies, the user is clearly rejecting attempts to be tracked. Using this obscure technology to subvert these wishes is a practice that perhaps should not be allowed.
Dive a little Deeper into the Flash Cookie.Adobe Flash Player does not actually allow third party locally shared objects to be shared across web sites. If a flash cookie is created by “abc.com”, it would not by default be available to another domain such as “adverts.com”. However, the first party web site could use the flash cookie it creates to pass information to a third party using certain settings found in the dedicated XML file. Also, third party LSOs are allowed to store certain data elements by default. This stored data can be shared across different types of browsers on the same machine.
As an example :
A visitor opens a web site using their Firefox browser. They then view a page that displays a specific product. The visitor then closes the Firefox browser. The information that was just viewed about that product can be stored in the Flash Cookie / LSO. Now lets say the same visitor on the same device uses an Internet Explorer browser. When they visit any page from the site that was just viewed through Firefox, that site can read the Flash cookie / LSO values through the Internet Explorer browser. The web site can now display dynamic content or otherwise target the visitor even when switching between different browser applications.
They’re independentFlash cookies are browser independent. This gives them another super power allowing them to transition across browsers as well as allowing information to be passed between web sites.
Privacy RisksOne of the main problems with flash cookies is that browsers do not clear them when the user deletes the cookies on their machine. This type of internet NEVER expires and some of them even contain the name of your computer and the file path/ directories of key files. They can share data across domains without our knowledge or permission. Cookie Preferences can be ignord. Adobe Flash Cookies can be used as a Trojan to reinstate removed cookies that the user has flushed.
What are Zombie Cookies?
|Internet Cookies that rise from the dead. Zombie cookies come back to life after you kill or delete them. UC Berkley first identified the Zombie Cookie when they noticed that after deleting cookies the cookies kept coming back over and over again. No amount of deleting them would kill them. Many people have absolutely no idea what a zombie cookie is, or that they even exist. Until a massive lawsuit in 2009, which targeted some of the biggest names on the web.|
Regular Cookies vs Zombie Cookies
|Stored in Browser||Stored in Flash or Silverlight|
|Easily blocked and deleted from browser||Blocking and deleting them is not easy|
|4kb Size||Up to 100kb|
|Work with only one browser||Work across all browsers on the same machine|
How do Regular Cookies work?What you think happens: You visit a web site, They plant browser Cookies. You visit the web site again, and they retrieve those cookies. You can block them or delete them, and that’s that.
How do Zombie Cookies work?What REALLY happens (in some cases): You visit a web site, They create internet cookies AND Adobe Flash cookies.
You block or delete regular cookies. Doesn’t matter!
You visit the web site again, they check for regular cookies - No luck?
They check for Adobe Flash cookies, which are EXACTLY the same, if not even more detailed (remember 4kb vs. 100kb). So in a sense, you deleting or blocking internet cookies doesn’t matter. Zombie Cookies are there.
Who has used them?ESPN, MTV, HULU, ABC, MySpace, NBC, YouTube, Scribid, and that is just for starters. It isn’t even the tip of the iceberg when it comes to who is hiding zombie cookies on your computer.
Purposes of using themMarketing Research or Tracking personal browsing habits. Since Zombie cookies have a bigger size they can store more detailed information about users’ behavior and can remember unique visitors. Different types of browser can store and share your information. Deleting cookies would not prevent web sites from controlling your interaction with them.
Privacy BreachFact: almost 98% of computers have Adobe Flash. This means almost everyone is exposed to Zombie Cookies. Some people feel that if you delete or block a cookie, it should stay deleted. Regular deletion of cookies will not effect Zombie Cookies. Some people consider sites that use them to be breaching their privacy. Clearspring and affiliated sites owned by Walt Disney Internet Group, Warner Bros and others had a huge lawsuit filed against them. Adobe Flash cookies were the focus. They were being used to “track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates web sites by having their online transmissions intercepted, without notice or consent”.
How to kill them?Before: You had to uninstall Adobe Flash, and re-install it. Now: Go to Adobe’s webpage and set controls on the Global Privacy Settings page (Google this for more details). If you use Firefox you can get rid of Flash cookies - including zombie cookies- by using theBetterPrivacy add-on.
|This is an example of a VERY persistent cookie file. A cross between the Super and Zombie cookie types.|
Talk about the possibility of invasion of privacy and the possible misuse of personal data.
Published : Tue 06 Mar 2018
Updated : Tue 24 Mar 2020
Updated : Tue 24 Mar 2020