The term “cookie” was coined by web browser programmer Lou Montulli. It is derived from the term “magic cookie”, which is a packet of data that a program receives and sends back unchanged, used by Unix programmers.
Cookies, also called web cookies, internet cookies, browser cookies, or simply cookies, are small blocks of data created by a web server when a user is browsing a website and placed on the user’s computer or other web devices.
The user’s browser Cookies are placed on the device used to access the website and more than one cookie may be placed on a user’s device during a session.
Cookies perform useful and sometimes important functions on the Internet. They allow web servers to store state information, such as items added to a shopping cart in an online store on a user’s device, or to keep track of a user’s online activity, including pressing certain buttons, logging in, or recording which pages were visited in the past.
They can also be used to save for later use information previously entered by the user in form fields, such as names, addresses, passwords, and payment card numbers.
Authentication cookies are typically used by web servers to verify that a user is logged in and with which account they are logged in. Without cookies, users would have to authenticate themselves by logging in to every page containing sensitive information they wish to access.
The security of an authentication cookie usually depends on the security of the issuing website and the user’s web browser, and whether the cookie data is encrypted.
Security vulnerabilities could allow an attacker to read cookie data, use it to gain access to user data, or to gain access with the user’s credentials to the website that owns the cookie. See cross-site scripting and cross-site request forgery For instance.
Tracking cookies, and especially third-party tracking cookies, are commonly used to compile long-term records of an individual’s browsing history, a potential privacy issue that prompted European and US lawmakers to take action in 2011.
European law requires that all websites targeting Member States of the European Union obtain “informed consent” from users before storing non-essential cookies on their devices.
A session cookie, also known as a memory cookie, temporary cookie, or non-persistent cookie, exists only in temporary memory while the user navigates the website.
Session cookies expire or are deleted when the user closes the web browser. Session cookies are identified by the browser by not having an expiration date assigned to them.
A persistent cookie expires on a certain date or after a certain period of time. During the lifetime of a persistent cookie set by its creator, its information will be transmitted to the server each time the user visits the website to which it belongs or each time the user views a resource belonging to this website from another website, such as advertising.
For this reason, persistent cookies are sometimes referred to as tracking cookies because they can be used by advertisers to record information about a user’s browsing habits over an extended period of time.
However, they are also used for “legitimate” reasons, such as keeping users logged into their accounts on websites to avoid having to re-enter credentials every time they visit.
A secure cookie can only be transmitted over an encrypted connection, i.e. HTTPS. They cannot be transmitted over unencrypted connections.
This reduces the chance that the cookie will be susceptible to theft through eavesdropping. A cookie is made secure by adding a “Security” flag to it.
HTTP Only Cookie
However, the cookie remains vulnerable to cross-site tracing and cross-site request forgery attacks. The cookie gets this characteristic by adding the HTTP Only flag to it.
Same site cookie
Third Party Cookie
Typically, the domain attribute of a cookie corresponds to the domain that appears in the address bar of a web browser. This is called the first cookie. However, the third-party cookie belongs to a different domain than the one specified in the address bar.
This type of cookie usually appears when web pages contain content from external websites, such as banner ads. This opens up opportunities to track a user’s browsing history and is often used by advertisers to show relevant ads to each user.
Supercookies are cookies that originate from a top-level domain like .com or a public suffix like .co.uk. Regular cookies, on the other hand, originate from a specific domain name such as example.com.
Supercookies can be a potential security risk and are therefore often blocked by web browsers. If unblocked by the browser, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate user requests to another website that has the same top-level domain or public suffix as the malicious website.
For example, a supercookie with an origin of .com could maliciously affect a request made to example.com even if the cookie was not obtained from the domain example.com. This can be used to fake logins or change user information.
A zombie cookie is a data and code that has been placed by a web server on a visitor’s computer or other devices in a hidden location outside the visitor’s web browser’s dedicated cookie storage location, and which automatically recreates an HTTP cookie as a regular cookie after the original. cookie has been deleted.
A zombie cookie can be stored in multiple places such as Flash Local Shared Object, HTML5 Web Storage, and other places on the client-side and even on the server-side, and when the absence of the cookie is detected, the cookie is recreated using the data stored in these places.