Skip to content

What’s the Deal with Website Cookies?

Posted in Student Blog Series

Last updated on October 23, 2024

These days, it seems like almost every website a user visits has a small pop-up banner requesting permissions to place cookies on their browser. These banners have become so common that many users will instinctively click the “accept cookies” button without pausing to consider the implications. This behavior is so widespread that studies show about 38% of all users will accept cookies blindly [7]. But what exactly are cookies, and what are users consenting to when they click “accept”?

What Are Cookies?

Internet cookies, or more formally HTTP cookies, are small pieces of data used by web servers to enhance user experience by saving browsing information. When a user accepts cookies on a website, data, usually a unique ID and site name, is stored in a cookie. The webpage can then identify the ID of the cookie and know what information to use, such as a user’s login information or what is in their shopping cart.

While the term “cookies” is widely used, there are many different types of HTTP cookies. The two main categories of cookies are session cookies and persistent cookies. Session cookies are temporary cookies that will disappear as soon as a user terminates the active browsing session. These cookies can help websites track user activity during a browsing session, such as keeping them logged in on remembering items in a shopping cart. They are also essential for website functionality, ensuring a smooth user experience. As soon as the user closes the browser or leaves the website, the session cookies are automatically deleted. 

Persistent cookies, on the other hand, remain on the user’s computer, even after the active session ends. These cookies are used to store user information and site settings. Within persistent cookies, there are two common types of cookies: authentication cookies and tracking cookies. Authentication cookies track a user’s login status and username, allowing the user to avoid having to log back in every time the site is reloaded. Tracking cookies are used to keep long-term records of several visits to the same website, allowing the website to build a profile on the user’s browsing habits and provide them with a personalized browsing experience.

Why do Websites Push Cookies?

As previously mentioned, cookies are essential for many website features to work correctly, such as remembering a login session, shopping cart items, and user preferences [1]. However, many websites try to push users to accept cookies for their own gain. Enabling cookies allows websites to track a user’s preferences and how they use the website, helping these sites with analytics and marketing strategies [1]. Some sites will also track a user’s interests, allowing them to show their personalized ads to the user, even on other websites [9].

Although websites give users the option to accept or deny cookies, it is not because the website creators want to. There are rules and regulations put into place that require websites to obtain consent from their users before using cookies. Laws such as the General Data Protection Regulation (GDPR) in the EU or the California Consumer Privacy Act (CCPA) in California hope to protect users in a time when people are more entrusted with providing personal information online and data breaches are becoming more and more common. Though there are loopholes in these laws, such as overly complex cookie consent pop-ups that can confuse a user into unintentionally accepting cookies, these regulations are still an important step toward safeguarding user privacy.

When to Accept or Deny Cookies?

There are certainly instances when it is helpful to accept cookies on a website [14]. Though rare, some sites won’t grant user access without consenting to cookies. While this may present itself as a red flag to users, some websites rely on features that require cookies to function so heavily that the site will not work without them. For example, ecommerce sites rely on cookies to remember the items that users add to their shopping carts, otherwise the cart would reset whenever the user navigates to another page. Users may also want to accept cookies on their more frequently visited websites for easier log-ins. Since saved cookies can remember a user’s log-in credentials, they can prevent such users from repeatedly having to log in. However, arguably the biggest reason to accept cookies is due to the improved user experience. For instance, some websites can give targeted discounts based on browsing behavior. By understanding a user’s preferences, websites can tailor their site to their individual interests, ensuring a more focused and personalized browsing experience.

While website cookies can provide convenience for users, more often than not it is best to deny cookies. Users need to recognize times when accepting cookies could be unsafe. For example, user should deny all cookies from unsecured websites, as they can lack necessary security measures such as encryption. Unsecured, or unencrypted, sites can be identified by their web address. The address of a secure site begins with “https://”, while that of an unsecured site starts with “http://”. This simple detail can help ensure a user’s online safety, especially when providing the site with confidential personal information.

Another general rule of thumb is to reject all third-party cookies. First-party cookies contain data that is only accessible from the site on which they were set. Third-party cookies, on the other hand, are website cookies that are not exclusive to the website where they were initially created [2]. By accumulating a user’s browsing habits, they can pose a privacy concern as they contribute to the creation of detailed user profiles [12]. Therefore, though some users may enjoy seeing ads more tailored to their interests, it is best to simply deny third-party cookies.

So, Are Cookies Malicious?

Website cookies themselves are not particularly harmful. However, they can be dangerous if their data falls into the wrong hands. For example, session hijacking, or cookie hijacking, is an attack in which a hacker gains full access to a user’s online account. In fact, a recent study done by Stake found that 31% of e-commerce applications are vulnerable to session hijacking [11]. If a hacker can hijack a browsing session, they can do anything that the original user is able to do on the site, such as purchasing items or accessing personal information.

Some other attacks that can be caused by cookie leaks are cross-site scripting, or XSS, and cross-site request forgery, or CSRF. During an XSS attack, attackers can install dangerous code into websites which can set malicious cookies on the user’s browser. Since the user’s machine thinks that the code is coming from a trusted server, it has no problem running it. These cookies can then steal the user’s private data, allowing for possible further harm [1]. For a CSRF attack, attackers can use cookies to forge HTTP requests, allowing them to perform actions without the user’s consent. Like session hijacking, they can then perform harmful requests like transferring funds or changing passwords.

How to Protect Against Cookies

With the dangers that cookies can pose, it is important that users know how to protect against them. One simple way is to use privacy-focused browsers or browser extensions. While common browsers such as Google Chrome or Safari try to protect their users, certain web browsers such as Mozilla, Firefox, or Tor Browser were designed with privacy in mind [1]. These browsers are made with features that can help to block cookies, protecting a user’s online privacy. Many will also offer a setting that users can enable to prevent advertisers from tracking their browsing behavior. Installing browser extensions can also help reduce the risk of tracking and spying cookies, as there are extensions that can block monitoring cookies from known tracking companies.

Another way to protect against cookies is to make sure that users clear their cookies regularly. It is recommended that users clear cookies at least once a month [15]. Although clearing cookies will log users out of most sites and will likely delete any preferences saved on those sites, there are numerous reasons as to why users should clear their cookies [13]. For example, by regularly clearing cookies, users can limit how much data marketers can gather about them and their browsing habits. Clearing cookies can also help resolve browsing issues. If pages on a site are not loading properly or a user is logged out unexpectedly, clearing cookies can help resolve such issues.

The more in-depth way to protect from cookie attacks is to stay informed, both with what users are agreeing to and with emerging threats to online privacy. Websites are required to provide their privacy policies regarding how they use and share their data. It is important to take the time and carefully read through such policies in order to know what exactly they are getting themselves into if they choose to accept cookies. As for staying informed about online privacy, users should look to reputable sources on cybersecurity and keep up with the best practices for protecting their information online [1]. 

Conclusion

Cookies play a crucial role in website functionality and providing users with a personalized browsing experience. While website cookies themselves are generally harmless, the data they contain can be dangerous if leaked to malicious parties, potentially leading to serious consequences for users and their accounts. It is important that users take the right precautions when they are browsing the internet, and especially important that users be informed when making that simple decision to click accept or deny cookies. By remaining cautious when sharing sensitive information on websites and aware of sketchy sites and their cookie practices, users can make sure to protect their privacy online. 

References

  1. IMI, “Computer Cookie Dangers – Identity Management Institute®,” Identity Management Institute®, May 2024. https://identitymanagementinstitute.org/computer-cookie-dangers/
  2. “What is Cookie? Definition, History, Uses, and Dangers – zenarmor.com,” www.zenarmor.com, Jul. 07, 2024. https://www.zenarmor.com/docs/network-security-tutorials/what-is-cookie
  3. R. Koch, “Cookies, the GDPR, and the ePrivacy Directive ,” GDPR.eu, May 09, 2019. https://gdpr.eu/cookies/
  4. State of California Department of Justice, “California Consumer Privacy Act (CCPA),” State of California – Department of Justice – Office of the Attorney General, Mar. 13, 2024. https://oag.ca.gov/privacy/ccpa
  5. “ePrivacy Directive | European Data Protection Supervisor,” www.edps.europa.eu. https://www.edps.europa.eu/data-protection/our-work/subjects/eprivacy-directive_en
  6. A. Fleck, “Infographic: Few Americans Refuse Cookies,” Statista Daily Data, Jan. 08, 2024. https://www.statista.com/chart/31516/how-respondents-handle-cookie-settings/#:~:text=Only%20one%20in%20ten%20adults (accessed Sep. 25, 2024).
  7. J. Koebert, “Cookies Study: 40% of Americans Blindly Accept Internet Cookies, But Most Don’t Know What They Do,” All About Cookies, Oct. 16, 2023. https://allaboutcookies.org/internet-cookies-survey
  8. Kaspersky, “What are Cookies?,” usa.kaspersky.com, Apr. 19, 2023. https://usa.kaspersky.com/resource-center/definitions/cookies
  9. E. Stewart, “What are cookies, and why do websites ask us to accept them?,” Vox, Dec. 10, 2019. https://www.vox.com/recode/2019/12/10/18656519/what-are-cookies-website-tracking-gdpr-privacy
  10. V. Santoyo, “What Are Cookies & How Do They Work?,” Sucuri Blog, Jan. 03, 2023. https://blog.sucuri.net/2023/01/what-are-cookies-a-short-guide-to-managing-your-online-privacy.html#:~:text=Brave-
  11. M. Vojtko, “The Ultimate Guide to Session Hijacking aka Cookie Hijacking,” Hashed Out by The SSL StoreTM, Nov. 17, 2020. https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/
  12. “What Are the Risks of Third-Party Cookies?,” Gerrish Legal. https://www.gerrishlegal.com/blog/what-are-the-risks-of-third-party-cookies#:~:text=Besides%20privacy%20worries%2C%20third%2Dparty
  13. J. Dunbar, “Clear Your Cookies,” Concretecms.com, 2024. https://www.concretecms.com/about/blog/devops/clear-your-cookies#:~:text=Browsing%20issues%3A%20If%20pages%20aren (accessed Sep. 25, 2024).
  14. A. G. Johansen, “Should you accept cookies? 5 times you definitely shouldn’t,” us.norton.com, Jun. 13, 2023. https://us.norton.com/blog/privacy/should-i-accept-cookies
  15. J. Rolland, “How to Clear Cookies & Cache on Your Browser and Device 2024 | Cybernews,” Cybernews, Dec. 09, 2019. https://cybernews.com/resources/an-easy-to-use-guide-to-clear-browser-cookies/ (accessed Oct. 03, 2024).

Feature image from AVG

Connor poses in front of a window while wearing a blue suit jacket and light blue button up shirt.
+ posts