Cookies Explained: Why Websites Remember You

Allan WANJIKUAllan WANJIKU
2 min read

Cookies are a crucial part of the HTTP protocol. They allow the server to send data to the client, which the client stores and resubmits to the server. While they enable swift browsing, they are also vulnerable to abuse by hackers.

Main uses of cookies

Cookies are used for three main reasons:

  • Session management: Cookies store a session ID, allowing the browser to retrieve a user’s information. This can be sign-in status, game scores, and other session-related data.

  • Tracking: They can track your browsing behavior on a specific site or across numerous websites. This provides site owners valuable information about your online habits, allowing for targeted ads.

  • Personalization: Cookies can store your preferences such as theme and language. When you revisit the site, the site will retrieve the cookies to meet your preferences.

Unlike other request parameters, cookies are resubmitted with each subsequent request. A server uses the Set-Cookie response header to issue a cookie. Eg. 

Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc

Your browser (client) will automatically add the cookie header to subsequent requests back to the same server:

Cookie: tracking=tI8rk7joMx44S2Uu85nSWc

As you can see, cookies are made of a name/value pair. And multiple cookies can be issued by using multiple Set-Cookie headers in the same server’s response.

The client then sends them back to the server using the same Cookie header, with a semicolon separating individual cookies.

For example:

Cookie: sessionId=abc123; username=allan

The Set-Cookie header can include either of the following optional attributes:

  • Expires indicates the date until which the cookie is valid. If not set, the cookie is used only in the current browser session.

    Set-Cookie: id=agg67a; Expires=Fri, 31 Oct 2024 07:28:00 GMT

    In this example, the cookie will expire after the set date. Alternatively, you can use the Max-age attribute.

    Set-Cookie: id=agg67a; Max-Age=2592000

  • Domain specifies which domain the cookie is valid. For example, the Domain=allan.com attribute indicates that the cookie will be available on allan.com and its subdomains.

  • Path indicates the URL path for which the cookie is valid. For example, path=/docs

  • Secure determines whether a cookie can be submitted in HTTPS or HTTP requests. If set, it will be submitted in HTTPS requests. This mitigates man-in-the-middle attacks.

  • HttpOnly determines whether a cookie can accessed through client-side JS. If set, it cannot be accessed via client-side JavaScript.

Example of a cookie:

Set-Cookie: id=agg67a; Expires=Fri, 31 Oct 2024 07:28:00 GMT; Path=/doc; Secure; HttpOnly; SameSite=Strict

Conclusion

Web owners use cookies for different purposes, but the main reasons are: tracking, personalization, and session management. They store session-related data such as your preferences and sign-in status, allowing for a seamless browsing experience.

0
Subscribe to my newsletter

Read articles from Allan WANJIKU directly inside your inbox. Subscribe to the newsletter, and don't miss out.

website trackingWeb Securitycookies

Written by

Allan WANJIKU
Allan WANJIKU

I am a technical writer and software engineer