Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Websites Remember You: Diving into Cookies & More

Making life easier for you.

Websites remember that you signed in previously both as a convenience and as a way to make using the site possible.
Remember Me!
Question: How does a certain computer get recognized? Paypal says, “We recognize you on this computer, so you don’t need to log in.” That is great! Why can’t this be used by everyone to eliminate this password crap?

I hate to disappoint, but a service remembering you on your computer doesn’t eliminate passwords.

There are two primary techniques used to remember or recognize you on a specific computer: cookies or passkeys.

Become a Patron of Ask Leo! and go ad-free!


Remembering you

Websites remember that you’ve previously signed in by using cookies or passkeys. In each case, you have to have signed in once using some other form of authentication such as a password, emailed links, or texted codes.


The first time you sign into a website like PayPal, you still have to provide your password. But after that you may not, or may not have to for “a while”.

The “trick”, if you want to call it that, is that when you signed in successfully, placed a cookie1 on your machine that says, “This account has already signed in”, and doesn’t ask you to sign in again. For “a while”.

Remember Me

In many cases, the “Remember Me” checkbox present on many sign-in screens simply changes the length of time that the already-signed-in cookie is valid. It typically defaults to a short amount of time (minutes or hours) but is set to something longer (days/weeks) when checked.

This is more than a convenience. This is what keeps you from having to sign in over and over again as you move from page to page within a site.

This is also why you often need to sign in again after clearing cookies: you’ve removed the information saying you’re already signed in. Signing out also invalidates the cookie.

Cookies do expire after a certain amount of time. The website controls the length of time, but it might be as little as an hour or two to several days or weeks or even years. The clock may or may not be reset every time you access the site — meaning the time could be based either on the first sign-in or on your most recent activity. Once the time has passed, you’ll be asked to sign in again.

With your password.


Passkeys are a new technology that in a sense do the same thing but in a significantly more secure way. Here’s how passkeys work:

  • You provide your username to the service you’re signing into.
  • The service sends a code or a link to your email address or phone.
  • You enter that code or click that link to confirm you are the account holder, and you’re automatically signed in.
  • The service then creates a passkey, which is securely stored on that device.

Future sign-ins on that device now rely on the passkey to both identify and authenticate you. “We recognize you on this computer” is one possible message when you return to the site sometime later.

You still need to sign in once on each device from which you want to access the account. That may involve a traditional password, particularly as we transition from passwords to passkeys on existing services.

Using passkeys, it’s possible the account could be completely password-free after that.

Do this

Obviously, continue to use proper password hygiene when passwords are used.

Particularly if you’re using a shared computer, be sure to sign out of your important accounts when you’re done. This applies to both passkey and cookie-based approaches to remembering you.

Interested in more answers like this one? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio


Footnotes & References

1: Or cookies. Exactly how websites implement this is completely up to them, and a variety of techniques are used, I’m sure.

7 comments on “How Websites Remember You: Diving into Cookies & More”

  1. Come on Leo! Be honest with your readers! You know as well as I that one of the primary purposes of cookies is so that websites can track you and your browsing activity! The ultimate end game being of course increased revenue. That’s what has recently motivated — apparently via legislation in some cases — that websites give you the option to accept no cookies or only accept “necessary cookies” — where “necessary” is of course in the eye of the beholder. Don’t want to be tracked? Set your browser to delete, i.e. not save, cookies during your session. This can be in most browsers like Edge or Firefox … if indeed it works.

    • It is not one of the primary purposes, no. That it’s being used for that is not why cookies exist. (And, indeed, the fact that tracking is happening without cookies at all speaks to their value, or lack there of. They were just the easy way.)

    • Delete cookies, and you’ll have to log in for each webpage you visit. That might sound OK, but without cookies, navigating to the next page on a website will require a new login. Deleting cookies after closing your browser is not so bad. It’ll block a few targeted ads, not all, but it’s pretty much useless.

  2. I think it is appalling that financial institutions and online stores, etc. send emails with a link to view statements or messages, etc. Usually the link is a long one with slashes here and there followed by gibberish so that you can go directly to the information. I always go directly to their website (easier if you have put it in the URL (website address) in your password manager). It is too easy for a spammer (crook) to make the link look like it is legit, with perhaps one letter changed.

  3. The scariest one is a bank. Pull it up in Google the password and my name is preloaded. I have signed out multiple times. Cleared cookies signing out before and after. It still displays. Headed to their real office soon.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.