How computer cookies work

Jorge DiazSE
Computer cookies are an interesting aspect web browsing that have baffled many people for years, with news channels constantly talking about cyber-security breaches many mistakenly think that cookies play a core component in them. The truth is that they play an important role in the IT privacy issue as there are still murky laws and regulations about how the collected information is handled but they don’t necessarily pose a security risk in and of itself.  
Let’s delve more into cookies: 

What are Computer cookies: in layman terms a computer cookie is a file that stores information about your browsing history, technical information such as your OS version, browser version, and even information about you such as sex, age, geo location, etc. The files are stored on your computer and when you revisit the site the web browsers pulls those stored files and loads the information memory to offer a more customized experience. What information is collected is up to the "cookie creator", legitimate site's cookies collect basic information you have entered to the site in various ways such as fill out or sign up forms. 
Cookies are not malign, as a matter of fact, they make the life of the end user easier by providing functions that make for better interaction between the browser and the web server.  At the same time cookies can be abused or sold without your consent and that’s where the whole privacy and security dilemma kicks in. There are some cookies “watch" the different sites you visit and the pages of the site you show interest in, in other words, it profiles your online behavior to deliver personalized advertisement. This specific has opened a can of legal warms, how legitimate and not so legitimate companies handle our information has become a debate in courts around world as there's no real global standards yet.  A key point here is that cookies are optional for some websites, meaning that not all website install cookies to collect information about you or your web browsing habits but such data is so valuable most sites move in that direction.
Another interesting point is that cookies’ control fall on the end user’s domain, meaning we all have the ability to manage if we accept or deny cookies on our computers regardless of the OS or browser we use.  It becomes, however, a catch 22 for those concerned with privacy where if you block cookies or restrict them you may not be able to navigate websites properly but if you allow them without restriction you may fear privacy violations.  To address this very issue some countries around the world adopted what was known as the Cookie Law where websites had to make aware their visitors about what cookies were being install and the purpose of the cookies. The law was shortly implemented by many European countries but its enforcement was discontinued after receiving heavy criticism and backslash from the technical and user community.  Another less invasive implementation of such concept is making available a Privacy Policy that outlines the purpose of information collected information, usage, etc.
There are different categories of cookies and they can be optional depending on the function of the site and the section of the site you are visiting. For instance, you can disable cookies on your computer and still be able browse many websites such as,, or any other site, however there are websites that require you to allow cookies in order for you to access them or certain functions in them, sites such as:,, etc. or any other sites that requires cookies enabled to deliver a higher level of security.

Let's go over a couple of example about how cookies work:

Disable Cookies: You may have your reasons to disable cookies on your browser and create a customized web browser experience. Although it is possible it is very time consuming as you'd need to provide explicit access to specific sites that require cookies to for you to interact it with properly.  Remember, not all websites require cookies enabled so it will be able to browse the without issues for the most part.

If using Internet Explorer you can go to Control Panel\ Internet Options\Privacy\Advanced to modify the settings.
1.JPGIf using Google Chrome you select the Chrome Menu\Settings\Show Advanced settings

2.JPGClose your browser and open it again after making the changes and do an online search. For the most part you'll be able to access websites, especially informational sites, that don't require cookies enable on your browser. In this case those sites don't really see a need to collect information about you. However, there are other sites that do require cookies enabled, if you visit banking websites like or you'll notice that you won't be able to properly interact with the site. Depending on the browser and its version you may get strange results on some sites with cookies when cookies are disabled, for instance on a basic install of Windows OS with no patches a connection was rejected when trying to access Bank of America's web site, however Chrome will be able to load the site as it manages cookies slightly different but you won't be able to do any online banking activity.

IE with cookies disabled accessing Bank of America.

bankofamerica.PNGGoogle Chrome with cookies disabled accessing Bank of America. You can navigate the "general" site but can't do online banking.

bankofamerica-good.PNGGoogle Chrome with cookies disabled accessing Bank of America. Can't successfully access the log in portal, the connection is rejected in the form of unrecognized user.

In another site however the outcome is different over both browsers. Wellsfargo, for instance, allows connections to their main page but if you attempt to do any online banking the connection will be rejected. Again, there are a lot of components that work together in order for web pages to load properly on the web browser. OS updates, applications updates and compatibilities, etc., but for now we'll concentrate only on cookies.

3.PNGIn both cases the sites needed cookies at different sections to allow proper access. If we go ahead and enable session cookies  you'll notice that access will be granted as normal, even Bankofamerica will load correctly. So what is then that when cookies are disabled you can't load the sites properly but when session cookies are enabled you can? We'll talk about each type of cookie in details later but for now you realized the importance of session cookies.

I can proceed and enable the session cookies on IE browser settings and be able to log in without any issues. In this case the website does not need to install or keep track of my whereabouts but rather needs to keep track of the session, that is why after some time of inactivity you’ll get message from the browser asking if you are still doing online banking, if you don’t respond the session will be closed for your protection.

As you may have already realized browser settings handle cookies a little bit different so cookie management has a lot to do with the internal architecture of the software. 

Do you want complete control over what cookies install on your computer? If using IE  you can select the option to be prompted before cookies are downloaded to your pc, however you'll soon realize it's not a good idea after all as you'll be prompted multiple times to allow cookies on every site you visit, an alternative to it would be to create Browser exceptions to override the cookie settings.

When you select the browser option to Prompt before cookies are install you'll receive multiple pop ups asking you if you want to allow the cookies. This behavior is per site and per page.

cookies-prompting.PNGYou can also create Cookies exception by adding sites to the list, you have the power to Allow or Block cookie access that will override the global setting for the specific sites on the list. 

So far we have gone over cookies in general and scratch the surface of session cookies but there's more to it than meets the eye. If you tried the cookie Prompt setting in IE you realized how many cookies are run on every site you visit. You can also spot them by performing a network capture to see how the browser pulls cookies down to your computer as the web pages load. 

Let’s talk to bit about First and Third party cookies:

First-party cookies are “direct” cookies from the website you are visiting and Third-party cookies  are cookies belonging to domains other than the one you are visiting, they also can be in the form of java or flash script.  When you access a website you can get First and Third party cookies downloaded to your computer. 

In the following example we visited, first-party cookies are all cookies that fall under the domain, as you can see you see,, and Each having their own unique cookies for the session. 

At the same time, when visiting Macy's' website third-party cookie load on your system. In the example below all those you can see cookies from different domains such as:,, etc. are loaded (not in our case since we blocked them) as the site opens. Third party-cookies for the most part are for marketing and web browsing profiling purposes. 

As mentioned earlier Third-party cookies can be built on flash, also known as super cookies, they have the ability to collect more information, store on a location different than regular cookies, and be able to load from any web browser calling for flash plugins. If you open the flash setting on your computer you'll notice the various settings you can customize, including the ability to allow or block the how websites store information on your computer.

cookies-flash.JPGYou can allow or deny the use of local storage by sites.

Different types of cookies: Cookies can be classified differently depending on their function, they are implemented "as needed" on websites depending on what the web developer and marketing manager want to accomplish, with that in mind let's go over the most common cookies:
  • Authentication Cookies: This type of cookies contains information about user authentication to the site such as user name, password, etc. When you visit a site and log in to it the credentials you entered are temporarily stored on a cookie that will be used to authenticate you as you to navigate other pages in the site. As long as session is active and the authentication cookie in cache the connection will remain active even if you navigate away from the site itself and come back at a later time. The web browser keeps track of authentication cookie, if you close the browser tab you used to access the website from the cookie still active, if you go ahead and close the browser then the session is close.  You as see authentication cookies are very convenient is web browsing, however its designed may be abused posing a huge security risk. Sophisticated attacks such as Cross-site-scripting (XSS) and Man in the Middle (MIM) may allow for the exploitation of browser vulnerabilities allowing an attacker to access the cookie files from memory  to authenticate as that user without know the credentials. 
  • Session Cookies: Conceptually speaking session cookies store information in memory (RAM) about your current web browsing session and once your web browser is closed the session cookies are erased. This type of cookies don't store personal or system information like other cookies do but rather creates an identifier and stored on the server to maintain the connection active. In our previous examples we disabled session cookies when browsing Bank of America and Wells Fargo websites, we were able to browse through some functionalities but we couldn't access the "secured" section of the site. Session cookies need to be enable for the server to interact securely with the web browser by maintaining an identifier as the users navigates the site.
  • Persistent Cookies: These are cookies that last longer (is up to the developer), retrieve information about your last session and present it to the website when revisiting it the website. All persistent cookies have an expiration date, if they don't then they are session cookies which will be deleted when the browser is closed. The expiration date varies and it could be anything between hours and years.  As time goes by your web browsers keeps on storing persistent cookie file on your computer, even if the cookie expiration date is past due the file still remain on your computer. Depending on the browser you are using you can set a limit to the amount of hard disk space allocated for temporary internet files (which include cookies) or you can delete the cookies all together.
  • Secure Cookies: This is an attribute that flags the cookies as having the ability to transmit information over HTTP and HTTPS, meaning that they should not be accessed from JavaScript thus offering a level of protection against XSS vulnerabilities. 
General Questions:
  • Are cookies evil: not necessarily but it all depends what your definition of evil is. As stated earlier, many website have legit use for it to provide a secure and personalized service to users.  The issue arises when those cookies are exploited by the company whose website you are accessing and third party companies.  Though so far cookies do not spread viruses or malware they are fertile ground adware and may pose an invasion of privacy if the collected information is misused.
  • Will my computer work faster if I delete the cookies: Unless cookies are taking up a lot of space on your computer deleting cookies will not have any real impact on its general performance.
  • Can I see what information the cookies collect? Not really, they are not files in a readable format for you to edit, they simply hold information usable to the websites you are accessing.
  • Is there a way to completely erase your web browsing history? You can use your browser setting to delete the browsing history and all stored cookies, this by no means represents total anonymity.  You can also use web browser options such as: InPrivate Browsing, Igcognito, Turnon Tracking Protection if you worry and cookies stored on your pc. As we saw earlier, don't forget to delete stored flash information from your system as well.
Cookies are a core component of web browsing as they complement and enhance the limitation of HTML. It is important for users to understand the benefits and risks associated with them and how to create an environment where privacy, security, and system performance can coexist in a comprehensive way. 

Thank you for reading my article, please leave valuable feedback.  If you liked this article  or would like to see more, please click the Yes button near the: Was this article helpful?  at the bottom of this article just below and to the right of this information. 

I look forward to hearing from you. - Jorge D. 
Jorge DiazSE

Comments (3)



Resubmitting it.
Jim HornSQL Server Data Dude
Most Valuable Expert 2013
Author of the Year 2015

Nice article, with excellent use of images to illustrate the text.  Voting Yes.

Very good article, Jorge!  As mentioned by another, your use of images (screen shots) to demonstrate your concepts in the text is extremely useful.  Thanks for posting your article! I vote YES!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.