Cookies

Cookies are small text files that reside on the client for the purpose of identifying a user or device and establishing a session within an application. Many companies with E-Commerce presences rely on cookies for maintaining sessions (logins). Cookies had initially also expanded into other "tracking usages", such as advertising, content personalization and similar usages. The Cookie-based, tracking-related technologies used include HTTP Cookies, HTML5 localStorage/sessionStorage/webDB, Flash local storage/cookies (deprecated along with Flash technology itself), Web Beacons such as Pixel Trackers/GIFs & Canvas, Embedded scripts (JS), ETags/cache browsers, and push-based Software Development Kits & Callback APIs.

First-party Cookies

First-party Cookies are placed by the website you are intentionally interacting with (including through the use of third-party service providers) and are used to allow you to use that conmpany's services & features to maintain a session or assist in opt-in/opt-out/background analytics activities.

Third-party Cookies

Certain third parties may place their Cookies on your device and use them to recognize your device when you visit a company's services and persist or "stick with your device" when you leave one website to visit another website or even while interacting with multiple online services (for instance in different tabs, windows or browsers). Third-party Cookies enable certain features or functionalities, and advertising, to be provided on the Services. The third parties who employ these methods typically collect and use this information pursuant to their own privacy policies.

Types of Cookies

The Services use the following types of first and third-party Cookies for these purposes:

Strictly Necessary Cookies

These Cookies are required for Service functionality, including for system administration, security and fraud prevention, and to enable any purchasing capabilities. Users can still set their browsers to block these Cookies, but some parts of the destination website/service may not function properly.

Information Storage and Access

These Cookies allow companies (and potentially their partners) to store and access information on the device, such as device identifiers.

Measurement and Analytics

These Cookies collect data regarding your usage of and performance of the Services, apply market research to generate audiences, and measure the delivery and effectiveness of content and advertising. We and our third-party vendors use these Cookies to perform analytics, so we can improve the content and user experience, develop new products and services, and for statistical purposes. They are also used to recognize you and provide further insights across platforms and devices for the above purposes.

Personalization Cookies

These Cookies enable a provider to provide certain features, such as determining if users are a first-time visitors or repeat, capping message frequency, remembering choices users have made (e.g. language preferences, time zone), and assisting users with logging in after registration (including across platforms and devices). These Cookies also allow your device to receive and send information, so you can see and interact with ads and content.

Content Selection and Delivery Cookies

Data collected under this category can also be used to select and deliver personalized content, such as news articles and videos.

Ad Selection and Delivery Cookies

These Cookies are used to collect data about your browsing habits, your use of the Services, your preferences, and your interaction with advertisements across platforms and devices for the purpose of delivering interest-based advertising content on a company's services and any experiences embedded from that company within third-party sites (widgets, embedded scripts, etc). Third-party sites and services also use interest-based Advertising Cookies to deliver content, including advertisements relevant to your interests on the Services and third-party services. If you reject these Cookies, you may see contextual advertising that may be less relevant to you.

Social Media Cookies

These Cookies are set by Social Media platforms on the services to enable you to share content with your friends and networks. Social media platforms have the ability to track your online activity outside of the Services. This may impact the content and messages you see on other services you visit.

Secure Cookies

• Security Cookies (WHITEPAPER): https://www.netsparker.com/security-cookies-whitepaper/

^{[1] [2]}

HttpOnly

• HttpOnly: https://www.owasp.org/index.php/HttpOnly
• Secure Cookie with HttpOnly and Secure flag in Apache Web Server: https://geekflare.com/httponly-secure-cookie-apache/

^[3]

SameSite

• SameSite Cookies by Default in Chrome 76 and Above: https://www.netsparker.com/blog/web-security/same-site-cookies-by-default/

Addressable Media preservation technologies

Most of these have been criticized by consumer privacy advocates such as the Electronic Frontier Foundation (EFF), World Wide Web Consortium (W3C), Free Software Foundation (FSF). For instance, Unified ID 2.0, a proposed replacement for "3rd party tracking cookies", would according to the EFF "deputize publishers to collect email addresses and other PII on ad tech’s behalf and could normalize “trackerwalls” that force users to sacrifice privacy for first-class Internet access".

^[4]

Unified ID

Initiative proposed by IAB.

For more info, see: UnifiedID

FLoC

Initiative proposed by Google.

For more info, see: FLoC

Fingerprinting

• W3C -- Mitigating Browser Fingerprinting in Web Specifications: https://w3c.github.io/fingerprinting-guidance/
• What is fingerprinting?: https://www.mozilla.org/en-US/firefox/features/block-fingerprinting/

^{[5] [6]}

WebFinger

• WebFinger: https://webfinger.net/

Tools

• CookieManager+ plugin for FF: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/^{[7][8][9][10][11][12]}
• EditThisCookie extension for Chrome: https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg^{[13][14][15][16]}
• Check Website HTTP Response Header (includes Cookie analysis): https://tools.geekflare.com/http-headers-test^[17]
• Am I FLoCed?: https://amifloced.org/^[18]

Resources

• Global Authoring Practices for Mobile Web: http://www.passani.it/gap/
• Using Cookies in PHP: http://www.websitepublisher.net/article/php_cookies/

Tutorials

• Quirks Mode Comprehensive Guide to Cookies in the Client: www.quirksmode.org/js/cookies.html
• Tutorial -- JavaScript and Cookies: http://www.elated.com/articles/javascript-and-cookies/
• EU "Cookies" Directive -- (Humorous) Interactive guide to 25th May and what it means for you: http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html
• Get, Set and Print Cookies in JS: http://www.perlscriptsjavascripts.com/js/cookies.html
• Working With Cookies in Java: https://docs.oracle.com/javase/tutorial/networking/cookies/index.html
• Changes to SameSite Cookie Behavior – A Call to Action for Web Developers: https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
• Reusing (and abusing) Cookies: https://medium.com/@ricardoiramar/reusing-cookies-23ed4691122b
• Cookies and the GDPR - What’s Really Required?: https://www.iubenda.com/en/help/5525-cookies-gdpr-requirements
• 2021 Strategies for Data Privacy & Cookie Consent Management: https://www.bounteous.com/insights/2021/05/13/strategies-data-privacy-cookie-consent-management/
• Serving Static Content from a Cookieless Domain: https://www.ravelrumba.com/blog/static-cookieless-domain/
• What Do Those Pesky 'Cookie Preferences' Pop-Ups Really Mean?: https://www.wired.com/story/what-do-cookie-preferences-pop-ups-mean/

External Links

• Session IDs vs. Cookies -- The Great Standoff: http://www.straightupsearch.com/archives/2006/11/session_ids_vs.html
• Why Session ID's And Search Engines Don't Get Along (Hint: It's a Duplicate Content Thing): http://www.searchengineguide.com/stoney-degeyter/why-session-ids-and-search-engines-dont.php
• JSESSIONID considered harmful: http://randomcoder.com/articles/jsessionid-considered-harmful
• MSDN -- IE - Beware Cookie Sharing in Cross-Zone Scenarios: https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
• 64% Of Tracking Cookies Are Blocked, Deleted By Web Browsers: https://www.mediapost.com/publications/article/316757/64-of-tracking-cookies-are-blocked-deleted-by-we.html
• Tracking Cookies and GDPR: https://techblog.bozho.net/tracking-cookies-gdpr/
• Emptying The Cookie Jar With The Help Of AI: https://www.mediapost.com/publications/article/337499/emptying-the-cookie-jar-with-the-help-of-ai.html
• Google Accepts The Cookie Is Finally Crumbling (thanks to EU's GDPR + ePrivacy Directive): https://www.mediapost.com/publications/article/345780/google-accepts-the-cookie-is-finally-crumbling.html
• Building a more private web -- A path towards making third party cookies obsolete: https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html (Ad industry shifting towards compiling Internet Protocol address, Browser version, monitor Resolution and any Device specifications/metadata that can be gleaned)
• Making Sense Of Google's Cookieless Environment: https://www.mediapost.com/publications/article/349967/making-sense-of-googles-cookieless-environment.html
• Can Killing Cookies Save Journalism?: https://www.wired.com/story/can-killing-cookies-save-journalism/^[19]
• Marketers Are Going To Be OK With Google's Killing The Cookie (For Good): https://www.mediapost.com/publications/article/346060/marketers-are-going-to-be-ok-with-googles-killing.html
• IBM Shows Through Nielsen How It Targets Ads Without Third-Party Cookies Or Identifiers: https://www.mediapost.com/publications/article/355708/ibm-shows-through-nielsen-how-it-targets-ads-witho.html
• Let's Find 'Anti-Fragile' Solutions To The Loss Of The Cookie: https://www.mediapost.com/publications/article/347065/lets-find-anti-fragile-solutions-to-the-loss-of.html
• Apple Gives Publishers Another Reason To Go Cookie-Less: https://www.mediapost.com/publications/article/356145/apple-gives-publishers-another-reason-to-go-cookie.html
• Conde Nast Shows More Signs Of Cookie-Less Future For Publishers: https://www.mediapost.com/publications/article/354034/conde-nast-shows-more-signs-of-cookie-less-future.html
• Publicis Strikes Exclusive Deal With The Trade Desk, Integrates Epsilon's Consumer IDs As Cookie Solution: https://www.mediapost.com/publications/article/362145/publicis-strikes-exclusive-deal-with-the-trade-des.html
• ANA Blasts Apple's Newest Move Against Tracking Cookies: https://www.mediapost.com/publications/article/358355/ana-blasts-apples-newest-move-against-tracking-co.html
• Association of National Advertisers (ANA) Criticism Of Apple Is Occasion To Tout Publisher Strengths (to privately auction ad spots themselves, and properly control their own audiences' data): https://www.mediapost.com/publications/article/358396/ana-criticism-of-apple-is-occasion-to-tout-publish.html
• Ad World Shaken By Onslaught Of Universal IDs As It Prepares To Give Up Cookies: https://www.mediapost.com/publications/article/362652/ad-industry-shaken-by-onslaught-of-universal-ids-a.html
• OpenAP Introduces 'OpenID,' New Identifier For Linear TV/Digital Advertising: https://www.mediapost.com/publications/article/362771/openap-introduces-openid-new-identifier-for-lin.html
• What Do Those Pesky 'Cookie Preferences' Pop-Ups Really Mean?: https://www.wired.com/story/what-do-cookie-preferences-pop-ups-mean/

References

1. ↑ Yes, You Should Secure Web Cookies with Secure Flags (even Applications that already operate over SSL): https://www.pivotpointsecurity.com/blog/securing-web-cookies-secure-flag/
2. ↑ Netsparker tool shows cookie is not marked as HttpOnly: https://stackoverflow.com/questions/38782022/netsparker-tool-shows-cookie-is-not-marked-as-httponly
3. ↑ Secure WordPress with X-Frame-Options & HttpOnly Cookie: https://geekflare.com/wordpress-x-frame-options-httponly-cookie/
4. ↑ After Cookies, Ad Tech Wants to Use Your Email to Track You Everywhere: https://www.eff.org/deeplinks/2021/04/after-cookies-ad-tech-wants-use-your-email-track-you-everywhere
5. ↑ List of trackers provided by "Disconnect" add-on/extension: https://disconnect.me/trackerprotection (this is the list used by Mozilla to block trackers in FireFox)
6. ↑ Enhanced Tracking Protection in Firefox for desktop: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
7. ↑ Firefox Cookie Editor: http://www.ghacks.net/2008/12/12/firefox-cookie-editor/
8. ↑ Add N Edit Cookies 0.2.1.3 -- FIREFOX PLUGIN: https://addons.mozilla.org/en-US/firefox/addon/573
9. ↑ Live HTTP Headers: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/?src=ss (to see Cookies actually being passed in the Headers of HTTP requests)
10. ↑ FF Dev Tools -- Network Monitor (now shows Cookies): https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor
11. ↑ FF Dev Tools -- Storage Inspector (now also shows Cookies and enables some add/delete/update capabilities): https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector
12. ↑ Edit or remove cookies from Firefox’s Developer Toolbar: https://www.ghacks.net/2012/11/03/edit-or-remove-cookies-from-firefoxs-developer-toolbar/
13. ↑ Cookie Inspector extension for Chrome: https://chrome.google.com/webstore/detail/cookie-inspector/jgbbilmfbammlbbhmmgaagdkbkepnijn
14. ↑ Cookies extension for Chome: https://chrome.google.com/webstore/detail/cookies/iphcomljdfghbkdcfndaijbokpgddeno
15. ↑ Inspect and Delete Cookies in the built-in Chrome Dev Tools: https://developers.google.com/web/tools/chrome-devtools/manage-data/cookies
16. ↑ How do I view, add or edit Cookies in Google Chrome?: https://superuser.com/questions/244062/how-do-i-view-add-or-edit-cookies-in-google-chrome
17. ↑ How do you view session cookies in Internet Explorer?: https://stackoverflow.com/questions/6051811/how-do-you-view-session-cookies-in-internet-explorer
18. ↑ Google’s FLoC Is a Terrible Idea: https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
19. ↑ How To Learn To Stop Worrying And Love The Cookie-Less Future: https://www.mediapost.com/publications/article/354441/how-to-learn-to-stop-worrying-and-love-the-cookie-.html

See Also

Authentication | HTTP/HTTPS | Session | Login | Security | Privacy | BT/Personalization | Email | WebFinger | Web Analytics | JS | JSP | PHP | ASP | Python