Cookies, more properly called HTTP cookies, are small bits of data stored as text files on a browser. Websites use those small bits of data to keep track of users and enable user-specific features.
They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity.
Cookies are a necessary part of the way the web works as well as a source of privacy concerns and security risks. For this reason, casual web users and web developers have good reason to better understand how these tiny bits of data work.
What Goes Into a Cookie?
Cookies associate bits of data to a specific user.
For example, if you visit a website, the site may deliver a cookie identifying you as user X. If you leave the site and then return to it again, that cookie will be used by the website to recognize that you are the same user X that was at the site previously.
Cookies necessarily contain, at a minimum, two pieces of data: a unique user identifier and some information about that user.
They may also contain a wide range of attributes that tell browsers what do with the cookie.
A common example of how this all works is an authentication cookie.
When you log into a website the site may return a cookie that identifies your user account and confirms that you have successfully logged in to the site. When you interact with the site it will use that cookie as confirmation that you are a logged-in user.
Common Types of Cookies
Cookies can be classified in several different ways. Let’s look at four of the most common classifications to better understand how cookies are used and how they work.
Session cookies are temporary cookies stored in the browser’s memory just until the browser is closed.
These types of cookies pose less of a security risk and are used to power e-commerce shopping carts, to control the page elements shown to a user during a single multi-page visit to a website, and for other short-term storage purposes.
Peristent cookies are longer-term cookies that are tagged by the issuer with an expiration date.
These cookies are stored by the browser even after the browser is closed. They are returned to the issuer every time you visit the site that issued the cookie or view a site that contains a resource (such as an ad) issued by the original cookie issuer.
In this way, persistent cookies can track your activity not only on the site that issued the cookie but also on any site that includes a resource issued by the same site. This is the mechanism sites like Google and Facebook use to create a log of user activity across multiple websites.
When you click “Remember Me” or a similar option when logging into an online account, a persistent cookie is used to store your login information on your browser.
Due to the fact that persistent cookies stick around much longer than session cookies, and can theoretically track your activity over time at multiple sites, persistent cookies pose a greater risk than session cookies.
First-party cookies are cookies created by the site you’re currently visiting. For example, while on this site we use cookies for various purposes, such as making our host filtering feature work. The cookies we issue while you’re visiting our site are first-party cookies.
Third-party cookies are cookies added by a domain that is not the domain you are currently visiting. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain.
For example, when you click on an ad on a website, a third-party cookie is used to associate your traffic with the site where the ad appeared.
While cookies are a necessary part of the modern web, they can also pose a considerable risk of invasion of privacy as well as a security risk to the websites that use them.
User Beware: Cookie Risk and Reward
Cookie Fraud
In most cases, cookie fraud takes on one of two forms: a malicious website uses legitimate website visitors as a proxy in an attack on a website or to game tracking systems by attaching false session IDs to a legitimate user’s activity. Let’s look at four common cookie fraud exploits to learn how they work:
Cross-site scripting (XSS): a user visits a malicious website and receives a cookie that contains a script payload targeting a different website. The malicious cookie is disguised to look like it originated from the targeted website. When the user visits the targeted site, the malicious cookie, including the script payload, is sent to the server hosting the targeted site.
Session fixation: a user receives a malicious cookie that contains the cookie issuer’s session ID. When the user attempts to log into a targeted domain, the issuer’s session ID is logged in instead of the user’s session ID. In this way, it looks to the targeted domain like the issuer is performing actions that the user is actually performing.
Cross site request forgery attack (XSRF): a user visits a legitimate site and receives a legitimate cookie. The user then visits a malicious site that instructs the user’s browser to perform some action targeting the legitimate site. The legitimate site receives the request along with the legitimate cookie and performs the action since it appears to be initiated by a legitimate user.
Cookie tossing attack: a user visits a malicious site that provides a cookie designed to look like it originated from a subdomain of a targeted site, such as http://subdomain.example.com. When the user visits the targeted site, http://example.com in this case, the subdomain cookie is sent along with any legitimate cookies. If the subdomain cookie is interpreted first, the data in that cookie will overrule the data contained in any subsequent legitimate cookies.
As you can see, in virtually all cases of cookie fraud, cookies are used to either falsify the identity of legitimate users or to use the legitimate user’s identity to perform malicious actions.
They enable core website functionality, such as e-commerce shopping carts, and are also used for more controversial purposes, such as tracking user activity.
Cookies are a necessary part of the way the web works as well as a source of privacy concerns and security risks. For this reason, casual web users and web developers have good reason to better understand how these tiny bits of data work.
What Goes Into a Cookie?
Cookies associate bits of data to a specific user.
For example, if you visit a website, the site may deliver a cookie identifying you as user X. If you leave the site and then return to it again, that cookie will be used by the website to recognize that you are the same user X that was at the site previously.
Cookies necessarily contain, at a minimum, two pieces of data: a unique user identifier and some information about that user.
They may also contain a wide range of attributes that tell browsers what do with the cookie.
A common example of how this all works is an authentication cookie.
When you log into a website the site may return a cookie that identifies your user account and confirms that you have successfully logged in to the site. When you interact with the site it will use that cookie as confirmation that you are a logged-in user.
Common Types of Cookies
Cookies can be classified in several different ways. Let’s look at four of the most common classifications to better understand how cookies are used and how they work.
Session cookies are temporary cookies stored in the browser’s memory just until the browser is closed.
These types of cookies pose less of a security risk and are used to power e-commerce shopping carts, to control the page elements shown to a user during a single multi-page visit to a website, and for other short-term storage purposes.
Peristent cookies are longer-term cookies that are tagged by the issuer with an expiration date.
These cookies are stored by the browser even after the browser is closed. They are returned to the issuer every time you visit the site that issued the cookie or view a site that contains a resource (such as an ad) issued by the original cookie issuer.
In this way, persistent cookies can track your activity not only on the site that issued the cookie but also on any site that includes a resource issued by the same site. This is the mechanism sites like Google and Facebook use to create a log of user activity across multiple websites.
When you click “Remember Me” or a similar option when logging into an online account, a persistent cookie is used to store your login information on your browser.
Due to the fact that persistent cookies stick around much longer than session cookies, and can theoretically track your activity over time at multiple sites, persistent cookies pose a greater risk than session cookies.
First-party cookies are cookies created by the site you’re currently visiting. For example, while on this site we use cookies for various purposes, such as making our host filtering feature work. The cookies we issue while you’re visiting our site are first-party cookies.
Third-party cookies are cookies added by a domain that is not the domain you are currently visiting. The most common use of third-party cookies is to track users who click on advertisements and associate them with the referring domain.
For example, when you click on an ad on a website, a third-party cookie is used to associate your traffic with the site where the ad appeared.
While cookies are a necessary part of the modern web, they can also pose a considerable risk of invasion of privacy as well as a security risk to the websites that use them.
User Beware: Cookie Risk and Reward
Cookie Fraud
In most cases, cookie fraud takes on one of two forms: a malicious website uses legitimate website visitors as a proxy in an attack on a website or to game tracking systems by attaching false session IDs to a legitimate user’s activity. Let’s look at four common cookie fraud exploits to learn how they work:
Cross-site scripting (XSS): a user visits a malicious website and receives a cookie that contains a script payload targeting a different website. The malicious cookie is disguised to look like it originated from the targeted website. When the user visits the targeted site, the malicious cookie, including the script payload, is sent to the server hosting the targeted site.
Session fixation: a user receives a malicious cookie that contains the cookie issuer’s session ID. When the user attempts to log into a targeted domain, the issuer’s session ID is logged in instead of the user’s session ID. In this way, it looks to the targeted domain like the issuer is performing actions that the user is actually performing.
Cross site request forgery attack (XSRF): a user visits a legitimate site and receives a legitimate cookie. The user then visits a malicious site that instructs the user’s browser to perform some action targeting the legitimate site. The legitimate site receives the request along with the legitimate cookie and performs the action since it appears to be initiated by a legitimate user.
Cookie tossing attack: a user visits a malicious site that provides a cookie designed to look like it originated from a subdomain of a targeted site, such as http://subdomain.example.com. When the user visits the targeted site, http://example.com in this case, the subdomain cookie is sent along with any legitimate cookies. If the subdomain cookie is interpreted first, the data in that cookie will overrule the data contained in any subsequent legitimate cookies.
As you can see, in virtually all cases of cookie fraud, cookies are used to either falsify the identity of legitimate users or to use the legitimate user’s identity to perform malicious actions.