Web Cookies are a fundamental technology in web ecosystem. Cookies were created by Lou Montulli in 1994 , to help websites remember users and enable features like shopping carts, solving the problem of the web being largely stateless and anonymous.

Since cookies are small text files stored on the user hard drive, when you first hear this, what probably comes to mind? Tracking and privacy concerns, of course. Let's demystify this technology step by step to understand it from A to Z.

Cookies Config

Cookies store different kind of digital informations : login information (to keep you signed in) ; Items in a shopping cart ; User settings (language, theme) ; Browsing activity (pages visited, buttons clicked) ; Information you've entered in forms.. Here's how websites store cookies on your device :

1. Visit a Site — Creation: A website sends a cookie to your browser.
2. Browser Stores It — Storage: Your browser saves the small file to the hard drive typically in the browser's root folder.
3. Return Visit — Usage: The site reads the cookie to recognize you and your settings.

Types of Cookies

1. Session cookies: These are cookies that disappear when users close the browser and terminate the active session. They are used for single browsing session activity monitoring and are essential for certain website features, such as maintaining your logged-in status while navigating between pages.
2. Persistent cookies: These cookies remain on the computer even after the browser is closed. They are used to store information such as login credentials, language preferences, and site settings, so that they can be accessed and applied the next time you visit the website. They can be set by First-Party or Third-Party websites.

Attributes of Cookies

Web cookies come with several important attributes that control their behavior and security. Let's explore each one to understand how they protect data and manage cookie transmission.

• Name & Value: The actual data, e.g., sessionID=12345.
• Domain: Specifies which domain the cookie is valid for, e.g., example.com.
• Path: Limits the cookie to a specific path (folder) on a domain, e.g., /images/.
• Expires & Max-Age: Sets a lifespan; Expires is a date, Max-Age is a duration in seconds, after which the browser deletes it.
• SameSite Attribute : The SameSite attribute determines when cookies are sent with cross-site requests, offering three levels of protection:

SameSite=Strict: The most restrictive option. Cookies are only sent when you're directly on the website that created them. This means if you click a link to the site from elsewhere, the cookie won't be sent initially. It provides maximum protection against cross-site request forgery (CSRF) attacks but can affect user experience.

SameSite=Lax: The balanced approach and default in most modern browsers. Cookies are sent with top-level navigation (like clicking a link) but not with cross-site subrequests (like loading images or iframes from other sites). This offers good security while maintaining reasonable functionality.

SameSite=None: The most permissive setting. Cookies are sent with all requests, including cross-site ones. This is necessary for legitimate third-party integrations but requires the Secure attribute to be set as well.

• HttpOnly Attribute : When enabled, it prevents client-side scripts (like JavaScript) from accessing the cookie, protecting against Cross-Site Scripting (XSS) attacks. HttpOnly cookies can only be read and modified by the server, keeping sensitive authentication data safe from browser-based attacks.
• Secure Attribute: Ensures cookies are only transmitted over encrypted HTTPS connections, never over plain HTTP. This prevents attackers from intercepting cookies through man-in-the-middle attacks on unsecured networks.
• Partitioned: An emerging attribute for third-party cookies, isolating them per top-level site.

Cookie Dangers

Cookies play a vital role in web security because of how they function in the browser-server relationship. Every time your browser makes an HTTP request to a server — whether fetching resources or maintaining an active session — cookies are automatically sent along with that request.

This very functionality makes them an extremely attractive target for attackers Here are some ways cookies can be misused:

Session Hijacking: if an attacker obtains your cookies, they essentially become you. They can impersonate you completely, hijacking your session and navigating your account as if they were the legitimate owner. No password needed — the stolen cookie is all it takes to gain full access.

Cross-Site Scripting: XSS attacks can install dangerous codes into websites, which may then set or misuse cookies on the user's browser. These malicious cookies can be used to steal private data, such as login information or session tokens when the user interacts with the compromised website.

Cross-Site Request Forgery: CSRF attacks leverage the trust relationship between a website and a browser to execute unauthorized actions on behalf of the user. Attackers may use cookies to forge HTTP requests that appear to originate from the user's browser, allowing them to perform actions such as transferring funds, changing account settings, or submitting forms without the user's consent.

Tracking and Profiling: While not necessarily malicious in the traditional sense, cookies can be used by advertisers and data brokers to track users' online behavior and build detailed profiles of their interests, preferences, and habits. This information can be used for advertisement targeting, identity fraud, and private data theft.

Privacy and indentity

Legal regulations, such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States, require that websites obtain consent from users before setting certain types of cookies, especially those used for tracking and advertising purposes. To comply with these regulations and avoid potential penalties, websites present cookie consent banners or pop-ups, asking users to accept cookies before proceeding.