In web development, a “cookie” stores basic user information on the user’s own computer, potentially improving the browsing experience and even making visitors to an ecommerce site feel more welcome.
Cookies are often used to save a visitor’s username and password so that the visitor does not have to sign on for each and every visit. Cookies can be used to track information that leads to making better product recommendations in an online store or to help offer special prices and discounts to loyal shoppers. Cookies can also store user preferences so that a site remembers how the user likes things arranged.
To some, cookies can also seem a bit vague or even dangerous. In fact, technical author Kevin Yank wrote in his book, Build You Own Database Driven Web Site Using PHP & MySQL that cookies are one “of those mysterious technologies that are almost always made out to be more intimidating and complex than they really are.”
A Cookie is a Name-Value Pair
To help understand what a cookie is, it may be useful to imagine opening a word processor, like Notepad, Google Docs, or Microsoft Word. Next, type some words or even a sentence or two. Then save the file in text format, giving it a name like name.txt. The words and sentences typed into the document represent the value of the file and, as you might guess, the file’s name, name.txt, is its name. This relationship (name-value pair) is almost directly analogous to a cookie, which is a text file with some value and a specific name by which it can be referenced.
A cookie’s value might be something easy to understand and read, like a username, or it could be a token, which is a series of numbers and letters that reference something on a specific web server or in a web database. The cookie’s value might match a field in a database. Related fields would hold customer information, so by getting the cookie’s value, the sever also has access to the content of the related fields.
Here is an example cookie from the Puma website. Its name is s_vi:
In all likelihood, this token will access some stored data — like which products the user looked at or how long the user lingered — on the Puma web server.
If the Puma visitor were a returning customer, this cookie and its value might be used to restore items to an abandoned shopping cart or remember the visitor’s account credentials. It is possible that this cookie could, by enabling the site to address the shopper by name, make the visitor feel more welcome.
This next example is a cookie from a WordPress blog. This cookie’s name is BX :
This cookie’s value might be used to append a URL and turn on or off some set of features.
Here is another example cookie. This one is from Alienware. Its name is AlienwareInfo:
Because of its simplicity, it may be that Alienware is using this cookie to determine if a user has been one the site before and in combination with other cookies also set during the user session.
Browsers also store other information about cookies. For example, cookies are generally available to a single domain and the browser — such as Microsoft Internet Explorer (IE) 9, Mozilla Firefox, Google Chrome, or Apple Safari — keeps track of this proper domain.
Finally, it is important to remember that cookies are stored on the user’s own computer, phone, or tablet.
What Cookies Do
Cookies store data. They give a website long term memory, generally without putting the user or the user’s privacy — more on this below — at risk. Because a website can “remember” things about the user, the site can make things easier.
Perhaps the simplest example to understand is logging in to a website. If cookies did not exist, each time a user visited a website, that user would have to log in, even if those visits were just a few minutes apart. In a worst-case scenario, a site without cookies might require you to log in each time you opened a new page. Such a site would not be able to remember anything about the visitor from one session to the next or even one page to the next in some cases.
Most Cookies are Safe
There has been a lot of discussion in publications, on forums, and even in legislative halls about cookies and privacy, or cookies and web security. Many Internet users ask, “Are cookie’s safe?”
To again reference Kevin Yank’s book, “cookies in and of themselves are incapable of compromising a user’s privacy.”
Cookies, which cannot be executed like scripts, are relatively benign and unquestionable helpful. However, there are some uses of cookies that users might not be happy about.
Third Party Cookies and Other Concerns
Cookies are supposed to help a single website remember something about a particular user in order to improve that user’s experience, provide information to the site, or enable features or measurement. When a cookie is set, the browser records the host server (domain), and the next time the user visits the host, the browser shares the cookie data.
When a user visits a webpage like SomeSite.com, you might think that the only web server providing data and setting cookies would be SomeSite.com, but that might not be the case. If the site includes social media widgets, ad network script, or web tracking and analytics content, there may be several web servers interacting with the browser, and each of these servers may be setting cookies.
In the image below, there may be six web servers or more contributing to the page and, potentially, setting browser cookies. The web servers involved include the domain’s own for adding most of the page content, the ad network that is serving up the Microsoft ads shown, and the various social media sites that have widgets on page — Facebook, Twitter, Google Buzz, and Digg.
It is possible — if not likely — that each of these servers would set or update a cookie. In fact, in the example page displayed above there was an ad network cookie set for rotator.adjuggler.com. If a user visited another site using the identical ad network, the ad network’s server might be able to collect information from the existing cookie and, thereby, aggregate user information from across more than one domain.
This type of cookie, one that might appear on several domains from an ad network or the like, is called a “third party cookie.” It has raised valid privacy concerns. In fact, there has been some indication that legislators could make using third party cookies illegal in some instances. Also, the specifications that describe cookies — the Internet Engineering Task Force’s RFC 2109 and RFC 2965 — encourage browsers to refuse third party cookies by default. However, that is not generally the case.
Other potentially distasteful uses of cookies, include so-called zombies, which are cookies that do not expire, but are rather reset by a script. Some Flash cookies — see “An Introduction to Flash Cookies; How to Manage Them,” our recent article on that topic — could be considered to be zombies. When used across multiple domains, zombies could potentially be a privacy concern.
Finally, there are also so called super cookies that are set for domain endings, like .com rather than SomeSite.com. Fortunately, most modern browsers will refuse this sort of cookie.
Cookies, then, are generally safe. They cannot spread a virus, and generally won’t share too much information unless they are used by a third-party. From the site owner’s perspective, choose the third party providers you use wisely in order to protect your customers.
Setting, Reading, and Deleting Cookies
The code used to set a cookie is generally simple. The following example is PHP.
<?php $value = 'cookie value'; setcookie('my_cookie', $value, time()+3600); ?>
Above, the first line sets a variable to “cookie value.” Next, a function named setcookie() is used to send the cookie to the web browser. The setcookie() function has three parameters in this example. The first parameter passes the cookie’s name. In this case, that name is “mycookie.” The second parameter uses to variable created above to pass the cookie’s value. The third parameter sets the cookie’s expiration, which in the example is one hour (3,600 seconds) from the current time (time()_). PHP can add more complex cookie data if needed, but that is beyond this article’s scope.
Document.cookie = 'my_cookie=cookievalue; expires=Fri, 1 April 2011 10:10:10 UTC'
var cookieContent = document.cookie.split('=');
Again, this is a simple example, but it should return cookievalue.
In PHP, reading a cookie might look like the following.
$cookie_example = $_COOKIE['my_cookie'];
The variable $cookie_example would hold the cookie’s value.
Finally, to delete a cookie, set is expiration date to sometime in the past.
Cookies are name-value pairs that give a website “memory” so it can recognize a returning visitor. Cookies make many useful web features possible. And cookies work across all web browsers.
Although it is possible to misuse a cookie, the technology itself is benign and actually quite secure.