Online Privacy12 min readPublished: January 1, 2026| Updated: February 9, 2026

What Are Cookies and How They Work

Technical explanation of HTTP cookies, their structure, types, and how websites use them for functionality and tracking.

What Are Cookies and How They Work

HTTP cookies are small text files that websites store in browsers to maintain state and store data between requests. The HTTP protocol is stateless, meaning each request to a server is independent and servers do not retain information about previous requests. Cookies solve this by allowing servers to send data to browsers, which browsers store and include in subsequent requests to the same domain. Cookies enable functionality such as maintaining login sessions, preserving shopping cart contents, storing user preferences, and tracking user activity across page loads and visits. They are set by servers through Set-Cookie HTTP response headers and sent back to servers through Cookie HTTP request headers.

What Are Cookies

HTTP cookies (also called web cookies or browser cookies) are text strings that websites store in browsers to persist data between HTTP requests. When a server sends a Set-Cookie header in an HTTP response, the browser stores the cookie data. On subsequent requests to the same domain, the browser automatically includes the cookie data in Cookie headers. Cookies contain name-value pairs along with metadata such as domain, path, expiration date, and security flags. They are stored as plain text files in browser cookie databases or storage areas. Cookies allow websites to remember user actions, preferences, and authentication states across different page loads and browser sessions.

How Cookies Work

Cookies operate through the HTTP protocol. When a browser makes an HTTP request to a server, the server can respond with a Set-Cookie header containing cookie data. The browser parses this header and stores the cookie according to specified attributes like domain, path, expiration, and security flags. On subsequent requests to matching domains and paths, the browser automatically includes stored cookies in Cookie request headers. Servers receive these cookies and can read their values to restore state, identify returning users, or access stored preferences. Cookies are sent with every HTTP request to matching domains unless they have expired, been deleted, or have security restrictions. The browser manages cookie storage, expiration, and transmission automatically without requiring user intervention.

Cookie Structure and Attributes

Cookies consist of required and optional components:

  • Name: The identifier for the cookie (e.g., "session_id" or "user_pref")
  • Value: The data stored in the cookie (e.g., "abc123xyz" or "dark_mode=true")
  • Domain: Specifies which domains can receive the cookie. If set to ".example.com", the cookie is sent to example.com and all subdomains
  • Path: Restricts the cookie to specific URL paths within the domain
  • Expires/Max-Age: Defines when the cookie should expire. If not set, the cookie is a session cookie that expires when the browser closes
  • Secure flag: When present, the cookie is only sent over HTTPS connections
  • HttpOnly flag: When present, JavaScript cannot access the cookie, preventing cross-site scripting attacks from reading sensitive cookies
  • SameSite attribute: Controls when cookies are sent in cross-site requests. Values include Strict, Lax, and None

Types of Cookies

Session Cookies

Session cookies are temporary cookies that expire when browsers close or after specified inactivity periods. They do not have explicit expiration dates set and are stored only in browser memory (not written to disk in some implementations). Session cookies are used for functionality that should not persist beyond a single browsing session, such as maintaining authentication states during active browsing, preserving shopping cart contents during a shopping session, and storing temporary form data or application state. They are automatically deleted when browsers close, providing a balance between functionality and privacy.

Persistent Cookies

Persistent cookies have explicit expiration dates (Expires attribute) or maximum age values (Max-Age attribute) and remain stored on devices until they expire or are manually deleted. They persist across browser sessions and can last for days, months, or years depending on their expiration settings. Persistent cookies are used for functionality that should survive browser restarts, such as remembering login credentials, storing user preferences and settings, maintaining analytics identifiers across visits, and enabling long-term tracking for advertising purposes. Their persistence makes them valuable for tracking and personalization but also raises privacy concerns.

First-Party Cookies

First-party cookies are set by the domain displayed in the browser's address bar. When visiting example.com, cookies set with domain="example.com" or domain=".example.com" are first-party cookies. These cookies can only be read by the website that set them (and its subdomains if the domain attribute includes the dot prefix). First-party cookies are typically used for website functionality such as maintaining login sessions, storing user preferences, preserving shopping cart contents, and conducting first-party analytics. They are generally considered less problematic for privacy because they are confined to a single domain and users have direct relationships with the websites setting them.

Third-Party Cookies

Third-party cookies are set by domains different from the one displayed in the browser's address bar. When visiting example.com, if a cookie is set with domain="tracker.com", that cookie is a third-party cookie. Third-party cookies are typically set through embedded content such as advertisements, social media widgets, analytics scripts, or other third-party services. They enable cross-site tracking because the same third-party domain can set cookies across multiple websites, allowing tracking entities to build profiles of user behavior across different sites. Third-party cookies are the primary mechanism for cross-site tracking and targeted advertising. Modern browsers increasingly restrict or block third-party cookies by default.

How Cookies Are Used for Tracking

Cookies enable tracking through unique identifiers stored in cookie values. When a tracking service (such as an advertising network) sets a cookie with a unique identifier (e.g., "user_id=789abc"), this identifier is sent with requests to the tracking domain across all websites that embed the tracking service. The tracking service can correlate activities from different websites using the same cookie identifier, building profiles of browsing behavior. For example, if a user visits website-a.com and website-b.com, both of which include code from the same advertising network, the advertising network receives the same cookie identifier from both sites, allowing it to link the visits together. This cross-site tracking enables behavioral profiling, targeted advertising, and analytics aggregation across multiple websites.

Cookie Consent and Privacy Regulations

Privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California require websites to obtain user consent before setting certain types of cookies, particularly those used for tracking or advertising purposes. Cookie consent notices (also called cookie banners) inform users about cookie usage and request consent. These notices typically offer options to accept all cookies, reject non-essential cookies, or customize cookie preferences by category (such as essential, analytics, marketing, and functional cookies). Compliance requirements vary by jurisdiction, and some regulations distinguish between essential cookies (necessary for website functionality) and non-essential cookies (used for tracking, advertising, or analytics) that require explicit consent.

Managing Cookies

Browser Settings

Browsers provide settings to control cookie behavior:

  • Block Third-Party Cookies: Chrome: Settings → Privacy and security → Cookies → Block third-party cookies. Firefox: Settings → Privacy → Enhanced Tracking Protection → Strict. Safari: Enabled by default. Edge: Settings → Privacy → Tracking prevention → Strict
  • Block All Cookies: Most browsers allow blocking all cookies, though this typically breaks website functionality
  • Clear Cookies: Browsers provide options to delete all cookies, cookies for specific domains, or cookies within specific time ranges
  • Cookie Exceptions: Users can create allowlists or blocklists for specific domains
  • Delete Cookies on Exit: Configure browsers to automatically delete cookies when closing, or delete only third-party cookies

Browser Extensions

Extensions can provide additional cookie management capabilities:

  • Cookie AutoDelete: Automatically deletes cookies when users leave websites, with options to whitelist specific domains
  • Cookie Editor: Allows viewing, editing, and deleting individual cookies
  • uBlock Origin: Content blocker that can filter cookie-related requests and block tracking cookies
  • Cookie consent extensions: Automatically dismiss cookie consent notices or select privacy-friendly options

Private Browsing Modes

Private browsing modes (incognito mode, private windows) typically do not persist cookies after windows close. Cookies set during private browsing sessions are stored temporarily and deleted when private windows are closed. However, cookies still function during the private browsing session, meaning tracking can occur within that session. Private browsing does not prevent tracking during active use, only persistence of tracking identifiers after the session ends. Websites cannot distinguish between private and regular browsing modes based on cookie behavior alone.

Third-Party Cookie Restrictions

Major browsers are implementing restrictions on third-party cookies. Safari blocks third-party cookies by default. Firefox blocks third-party cookies when Enhanced Tracking Protection is enabled. Chrome is phasing out third-party cookies and developing alternative tracking mechanisms through the Privacy Sandbox initiative, which includes proposals such as FLoC (Federated Learning of Cohorts), Topics API, and Attribution Reporting API. These alternatives aim to provide some advertising and analytics capabilities while reducing individual tracking. The transition away from third-party cookies has led to increased adoption of alternative tracking methods such as browser fingerprinting, first-party data collection, server-side tracking, and cross-site tracking through other mechanisms.

Cookies vs. Other Storage Mechanisms

Browsers provide additional storage mechanisms beyond cookies:

  • Local Storage: Web Storage API that stores key-value pairs with larger capacity limits (typically 5-10MB) than cookies. Data persists until explicitly deleted and is accessible only to JavaScript from the same origin
  • Session Storage: Similar to Local Storage but limited to the browser session. Data is deleted when tabs or windows close
  • IndexedDB: Browser database API that stores structured data with larger capacity limits. Provides more complex data storage than Local Storage
  • ETags: HTTP entity tags used for cache validation. Some tracking implementations use ETags as tracking identifiers that persist even when cookies are cleared

These mechanisms are not automatically sent with HTTP requests like cookies, but JavaScript code can read and write to them, making them useful for storing larger amounts of data or as alternatives to cookies for tracking purposes.

Security Considerations

Cookies present several security considerations. Cookies without the Secure flag are transmitted over both HTTP and HTTPS, potentially exposing sensitive data over unencrypted connections. The HttpOnly flag prevents JavaScript access, reducing the risk of cross-site scripting (XSS) attacks stealing authentication cookies. The SameSite attribute prevents cookies from being sent in cross-site requests, protecting against cross-site request forgery (CSRF) attacks. Session fixation attacks can occur if session identifiers in cookies are not regenerated upon authentication. Cookie theft through network interception, malware, or XSS attacks can lead to account compromise. Secure cookie practices include using Secure and HttpOnly flags, implementing SameSite restrictions, regenerating session identifiers after authentication, and using strong, unpredictable cookie values.

Limitations and Considerations

Cookies have various limitations. Browsers limit the number of cookies per domain (typically 50-150 cookies) and total cookie size (usually 4KB per cookie, though limits vary). Cookies are sent with every HTTP request to matching domains, increasing request size and potentially impacting performance. Users can delete cookies at any time, making them unreliable for long-term tracking without persistent identifiers. Browser restrictions on third-party cookies reduce their effectiveness for cross-site tracking. Cookies are domain-specific, making cross-domain tracking require third-party cookies or other mechanisms. Privacy regulations require consent for many cookie uses, potentially limiting their deployment. Some users disable cookies entirely, though this breaks most website functionality.

Related Topics