Why do we even need cookie's ?

Sudden Thought

As a full stack developer, i came across reading about cookies. So far i haven't written code to handle it or use it in my applications. While reading about cookies, i came to know its used to transfer state in a stateless HTTP protocol. I was amused, because during my development, we somehow handled the state without cookies.

Yet, we have used Azure AD Authentication, which in turn use the cookies. What i meant is , I haven't coded cookie for my functionalities. :)

Problem statement to understand the need of state management

You are using an online shopping website. You have some items in your cart. Now you are moving to the checkout page and are surprised to see that there are no items in the cart. This is because HTTP is stateless. So we will be needing a mechanism to maintain the state of the application. Thus the cookie was born.

Stateful cookie inside stateless HTTP

HTTP is stateless. This means that HTTP itself has no way to keep track of a user’s previous activities. One way to create a state is by using cookies. A cookie is generally used to store the username and password information on a computer so that the user does need not to enter this information each time when visits a website again.

Cookies are a convenient way to carry information from one session on a website to another, or between sessions on related websites, without having to burden a server machine with massive amounts of data storage.

Back to history

Cookies were developed for the first time in 1994 by Lou Montulli, an employee of Netscape Communications. Along with John Giannandrea, Lou developed cookies as a solution to make e-commerce shopping carts possible.

The first actual real-world application of cookies on the web was to determine whether visitors to the Netscape website had been there previously.

Initially, cookies were accepted by default by all supported browsers and very few end-users had any idea about their presence or use. That all changed in February of 1996 when the Financial Times published a piece detailing their existence, purpose, and use.

What followed was intense media scrutiny for the next few years due to the privacy risks inherent to visitor tracking.

The Internet Engineering Task Force (IETF) was given the job of coming up with a formal cookie specification that agreed with the concerns expressed by the media.

IETF Document on HTTP State Management - rfc-editor.org/rfc/rfc2109

Of particular concern were the risks associated with allowing third-party cookies. These are more commonly known as tracking cookies. IETF attempted to require that third-party cookies be explicitly disallowed or only allowed after explicit user opt-in.

However, the leading browser developers at that time, Netscape and Microsoft, ignored the IETF recommendation and went along with online advertiser wishes to allow third-party tracking cookies.