What are cookies?

[MacBH928]

Not sure where to post this but,
What are cookies and what information do they hold and how they share that information?

I used to believe cookies are mini files that store website preferences like your username/password so you won't have to login everytime you leave the page but it seems it does a lot more than that nowdays.

 

[biker4mac]

The basics (as you say) are that a cookie is a small text file created by a website that is stored on the user's computer that provide a way for the website to recognize you and keep track of your preferences.

Where it gets murky is how much information is stored and what websites can access the information. If website A stores a cookie that keeps basic information (login, what stories you read, when you were last there) and only uses that for its own purposes, that is one thing. But if suddenly websites B, C, and D can also see that information as well as track you from one website to the next and what you did at each and so forth, then it becomes a bit more overbearing.

 

[MacBH928]

The basics (as you say) are that a cookie is a small text file created by a website that is stored on the user's computer that provide a way for the website to recognize you and keep track of your preferences.

Where it gets murky is how much information is stored and what websites can access the information. If website A stores a cookie that keeps basic information (login, what stories you read, when you were last there) and only uses that for its own purposes, that is one thing. But if suddenly websites B, C, and D can also see that information as well as track you from one website to the next and what you did at each and so forth, then it becomes a bit more overbearing.

does it identify you personally or does it identify the browser? As in if I visit Google then Amazon, does it know I(personally) was on Google prior, or it knows that "the user of this browser" was on Google earlier on.

 

[biker4mac]

Basically, it knows the browser. However, if you were logged into Google or Amazon then it would also have the potential to link that login to the browser and thus determine that you were the one visiting subsequent sites.

 

[D.T.]

The basics (as you say) are that a cookie is a small text file created by a website that is stored on the user's computer that provide a way for the website to recognize you and keep track of your preferences.

Where it gets murky is how much information is stored and what websites can access the information. If website A stores a cookie that keeps basic information (login, what stories you read, when you were last there) and only uses that for its own purposes, that is one thing. But if suddenly websites B, C, and D can also see that information as well as track you from one website to the next and what you did at each and so forth, then it becomes a bit more overbearing.

Browser implementation and Cross-Domain Policy (assuming everything is working as designed) prevents a website from reading the cookies created by a different website, i.e., Website A Cookie cannot be read by Website B.

 

[biker4mac]

If everything worked as designed and everyone used the technologies in an open and honest manner, we wouldn't have any problems...

However, tracking cookies do exist and it's best to be aware of them.

 

[Shadow Jolteon]

If everything worked as designed and everyone used the technologies in an open and honest manner, we wouldn't have any problems...

However, tracking cookies do exist and it's best to be aware of them.

I think what you may be thinking of is certain advertising services tracking you across websites. The way they do this is when you visit a site with their advertisements displayed on it, a cookie is sent to your browser that helps to identify you, and then when you go to another site that they advertise on, they can more easily identify you and serve up advertisements to you, along with other factors such as your web browser's user agent, IP address, history, and various other factors. Different services (Facebook, Amazon, Google, etc) also share and sell information on users to build a better background of users to try to serve up more enticing ads catered to each person.

Browsers only send cookies to the domain they were originally sent from, and websites being able to read each others' cookies would be a massive security flaw, as literally any website you visited could scrape your login cookies for anything and then use them for their own purposes.

 

[biker4mac]

Browsers only send cookies to the domain they were originally sent from, and websites being able to read each others' cookies would be a massive security flaw, as literally any website you visited could scrape your login cookies for anything and then use them for their own purposes.

True. I was talking about the ad cookies and sharing between sites in response to the question about Google and Amazon.

 

[Starship67]

What are cookies?

I was thinking somewhere along the lines of tasty baked treat

 

[D.T.]

I think what you may be thinking of is certain advertising services tracking you across websites.

[...]

Browsers only send cookies to the domain they were originally sent from, and websites being able to read each others' cookies would be a massive security flaw, as literally any website you visited could scrape your login cookies for anything and then use them for their own purposes.

Right, good reply. Basically there's a 3rd entity that's a bridge between Site A and Site B, even though A and B are sand boxed (prevented) from reading cookies across domains (and may not be "aware" of the dynamic ad content). That's a big difference vs. having access to site specific cookie values - especially when there's a significant amount of personal/account data dumped into cookies (that's generally pretty poor implementation).

What are cookies?

I was thinking somewhere along the lines of tasty baked treat

I consulted with one of my engineers who's an expert on the subject ...

 

[MacBH928]

I think what you may be thinking of is certain advertising services tracking you across websites. The way they do this is when you visit a site with their advertisements displayed on it, a cookie is sent to your browser that helps to identify you, and then when you go to another site that they advertise on, they can more easily identify you and serve up advertisements to you, along with other factors such as your web browser's user agent, IP address, history, and various other factors. Different services (Facebook, Amazon, Google, etc) also share and sell information on users to build a better background of users to try to serve up more enticing ads catered to each person.

Browsers only send cookies to the domain they were originally sent from, and websites being able to read each others' cookies would be a massive security flaw, as literally any website you visited could scrape your login cookies for anything and then use them for their own purposes.

I am confused at first you said cookies generated by a specific domain will not be shared with another site, but then you said they can track you and see where you went. They can also see my history.

 

[damponting44]

Cookies are small files which are stored on a user's computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.

 

[D.T.]

I am confused at first you said cookies generated by a specific domain will not be shared with another site, but then you said they can track you and see where you went. They can also see my history.

I'll see if I can explain this without getting too far into the weeds

So let's say you've got Website A (where is a specific, unique domain), it can read-write cookies that only Website A can access. Pretty clear, right?

Now this website, let's say they sell headphones, are all sorts of assets loaded from the sites servers: markup/HTML, scripts, images - the servers provide storage for the sites products, user accounts, etc. Again, simple.

So one of the things the site loads is some ad code - the implementation particulars aren't important for this discussion - but think of it like it's own small website embedded into Website A. It can't read the cookies, but it can read some browser behavior, like the URL for a search page result from Site A. Also note, that while Site can't override the rules that prevent the ad from reading Site A cookies, Site +can+ share the same data it's storing in a cookie.

Additionally, the ad - again, which like a mini-site bundle with many of the same rules and functionality - an write it's own cookie for the "ad domain". Just like the ad can't read Site A cookies, Site A can't read the ad cookies.

Here's where the black magic occurs: when you go to Site B, also running the same ad engine, the ad can read the ad specific cookie, any Site A data that was allowed/given, ID you on the new site (Site B doesn't ID you, the ad does, again, like a mini version of the same website now running in Site B). So now, that ad in Site B, parses your search data from Site A, shows you on Site B the same headphones you were shopping on Site A. Site B and the ad could also, potentially share data as well - all within the limits of what Site B decides to allow and still enforcing core technology limitations like a cookie from a different domain can't be read.