Cookies aren’t as evil as most stories – and some security tools – might have you believe.
A cookie is nothing more than some information a website can save on your computer that your browser then provides back to that same website the next time you return.
Seriously. That’s it. That’s all. That’s a cookie.
It really is that simple: a cookie is nothing more than some information a website can save on your computer that your browser provides back to that same website the next time you return.
What that information is is up to the website. And that information is shared only with that website.
It works like this:
- You visit some website, say reallybigbookstore.com
- That starts with your browser requesting a page at reallybigbookstore.com
- The server at reallybigbookstore.com responds with the page your browser is to show you and a some extra data. I’ll use “user=12345” as the example, but it could be just about anything. This extra data is a ‘cookie.’
- The browser stores “reallybigbookstore.com,” “user=12345” on your computer somewhere, and displays the page.
- You spend some time viewing the page.
- You move on to another page on that same site, perhaps by clicking a link to “reallybigbookstore.com/tech_books.html”
- The browser requests the page “tech_books.html” from reallybigbookstore.com and sends the cookie with that request (including “user=12345”) when it asks for the page.
- The server does whatever the server does with the cookie and delivers the page to the browser to be displayed.
The important thing that makes all this work is that only cookies sent to you by reallybigbookstore.com will be sent to reallybigbookstore.com. This prevents one site from seeing the data that might be kept by another.
Example: Preventing endless logins
Cookies can be used for many things, but the simplest case is just remembering who you are.
For your sake.
What many don’t realize is every page you visit on the internet is, in essence, completely stand-alone. So when you login to a site like, say Amazon or Hotmail, there’s no inherent mechanism to pass along to the next page that you visit on that site that you are in fact logged in.
The result would be that each attempt to visit a new page on one of these sites would say in effect, “I don’t know you. Please login,” and you’d be faced with a never-ending series of login screens.
As you can see in the previous example, simply storing something that identifies you as a user is one way that sites can keep track and not force you to login for every page. The data actually stored is rarely as obvious as “user=12345” for security purposes, but contains enough information for the server to know who you are, the fact that you’ve logged in, and that you’re authorized to see the next page.
How cookies track
Much has been made about tracking cookies, but there’s nothing at all technically different between cookies that “track” you, and cookies that keep you from having to login over and over again.
Here’s the scenario:
- You visit some website, say reallybigbookstore.com
- That site contains advertisements provided by a large advertising network. I’ll use doubleclick.net for my example.
- The advertisements that show on reallybigbookstore.com pages come from the servers at doubleclick.net.
- That means that the doubleclick.net server can leave cookies on your machine just like any other website.
So far, you’ve visited a single site and the advertising network it uses has been allowed to leave a cookie on your machine.
Now you keep on browsing:
- You visit some other website, say somerandomservice.com
- Somerandomservice.com uses the same advertising network that reallybigbookstore.com does: doubleclick.net
- When an ad is to be displayed on somerandomservice.com, it is fetched from doubleclick.net and the request sends any cookies for doubleclick.net to the doubleclick.net server. Even though the doubleclick.net cookies were created during your visit to reallybigbookstore.com, the cookies were in fact associated with doubleclick.net.
The advertising network now has the data to know that your computer visited both reallybigbookstore.com and somerandomservice.com, and as long as the pages you saw had ads, how often you visit each, and what pages you visited while you were there.
Multiply that by all the sites you visit, all the different advertising networks that exist and you can imagine that a lot of back-end data analysis can determine really interesting patterns of people visiting assorted sites.
As I said above, the doubleclick.net cookies were sent back to the server that they came from, the doubleclick.net server, even though the page you had requested was from somerandomservice.com. That’s how cookies operate – at a domain or server level.
Many browsers make a distinction between cookies for the sites you actually requested (somerandomservice.com), and the sites that are subsequently referenced as part of fulfilling that request (doubleclick.net). The later are called “third-party cookies.”
You are the first party, the site you actually request is the second party, and all the other sites are so-called “third parties.”
Most browsers allow you to turn off third-party cookies, meaning that the cookies created by third-party requests such as advertising networks are simply not created at all or are never sent.
Managing cookies: IE
To delete cookies, click on the gear icon or the Tools menu, select Internet Options and in the resulting dialog, click on the General tab. Now click on the Delete… button:
As you can see, Cookies are one of the items that you can delete.
To view the browser settings for cookies, in Internet Options, click on the Privacy tab:
Unfortunately, IE’s security model and its concept of zones are fairly complex (for reasons unknown) and to delve into it in detail would require more than a single, simple write-up. However, in this dialog, you can examine the privacy settings for Internet Explorer’s “Internet zone”.
As you can see above, third-party cookies are largely disabled in this example.
You can click-and-drag the slider to chose from a pre-define set of privacy settings or you can click on the Advanced button to choose a custom set of settings.
Managing cookies: FireFox
To delete cookies in FireFox, click on the Tools menu, and click on Clear Recent History. In the resulting dialog, click the little down-arrow next to Details:
Here you can select not only what to delete, including Cookies, but also select a specific timeframe.
To view the browser options for cookies, click on Tools, Options, and then in the resulting dialog box, click on the
In the Firefox will: dropdown in the History section, make sure to select “Use custom settings for History” to expose the more detailed settings available for managing cookies. Much like IE, you can enable or disable third-party cookies, create lists of exceptions, and more.
Managing cookies: Chrome
To delete cookies in Chrome, click on the gear or customize icon to the far right of the address bar and click on Settings. At the bottom of the Settings page, click on Show advanced settings…. Underneath Privacy, click on the Clear Browsing Data… button.
As you can see, one of the many items you can choose to delete is the collection of cookies, and like FireFox, you can specify a timeframe.
To manage cookie settings, once again in Show advanced settings…, underneath Privacy, click on the Content Settings… button.
At the very top of the resulting dialog box that appears are the settings to control cookies, including third-party cookies and any exceptions.
OMG! They’re tracking me!
No, they’re not.
Yes, they are, but … no, they’re not.
Here’s my position: they don’t care about you specifically.
Sorry, but you and I just aren’t that important or interesting to track as individuals.
Heck, the sheer volume of data alone makes tracking any one individual an incredibly difficult task.
What’s much more interesting is aggregate data: the data that says things like X percent of the visitors to reallybigbookstore.com also visit somerandomservice.com. Or data that shows that people that visit this page frequently are likely to respond to these advertisements. This type of tracking can also be used to perhaps prevent people whose online behavior appears to be similar to men from being shown advertisements designed for women.
You get the idea. They don’t track at the individual level, but they use the data en masse to do things like provide more highly targeted and interesting ads or perform market research.
That’s not to say that cookies can’t be misused; I’m sure they can.
It’s just that it’s typically a lot more work than it’s worth.
Unfortunately, some anti-spyware tools will flag tracking cookies – often any tracking cookie – as a form of malware. I simply and emphatically disagree. Flagging tracking cookies in that manner causes more confusion and concern that it actually adds any value. And it certainly doesn’t make you any more safer.
What should your settings be?
In my opinion, the default settings across all browsers are just fine. The examples above will let you see what they are, but I see no real reason to change them.
However, I know that some people feel differently and those of you might want to spend a little time diving into your browser’s cookie settings.