Cookies: Back to Basics

12 Mar 2017 » MSA

I must admit it: I love cookies. I can eat one cookie pack in a couple of days. Therefore, I try to keep my kitchen free of cookies. However, this is not what I am going to explain here. Today I am going to take a step back and, instead of advanced topics, I want to review a basic concept: cookies. I know most of you know fairly well what cookies are. However, if you are still trying to get your head around cookies, I recommend you keep on reading. You might also find useful ideas to explain cookies to other people.

What are Cookies

The first thing to review is what cookies really are. They are pieces of text that a browser stores, related to a website. I remember, back in the 90’s, people believing that cookies contained virus or other evil code. A friend of mine had an application to continuously remove any cookies from Internet Explorer, as he thought they could infect his precious computer. As I have just said, cookies only contain text, and only a few characters in general. It is not possible to execute them, like an application.

In fact, you can review the contents of them very easily. Browser offer tools to inspect them and there are also a number of browser extension. In Chrome, you just need to open the Developer Tools (CTRL + Shift + I) and click on the “Application” Tab:

Cookies in Chrome

All cookies must be store under a domain. A browser will reject a cookie that is not stored under a domain. And most important: the browser will read or write cookies of a domain, only when accessing that domain. In other words, cookies stored under pedromonjo.com can only be accessed by the website in pedromonjo.com.

This statement might be very obvious for most of you. However, quite a few times, someone has asked me how to read cookies from a different domain. Short answer: impossible. Browsers make sure this never happens and I have not heard of any security hole lately which allows it. If you still think you need to read a cookie under a different domain, imagine the following scenario. If I could access any cookie in a browser, I could write a piece of JavaScript in this very website and, as you read this post, steal your bank’s cookies. That would be good news for me, I will probably be able to retire very soon, but I am pretty sure you would not be happy about it.

Finally, it is worth noting that browsers do not share cookies among them in the same computer: each of them has its own private cookie jar.

1st vs 3rd Party Cookies

I am sure you have heard these concepts before. In this section, I want to make sure you understand them.

So, what are these cookies:

  • 1st party cookies. Cookies which are stored under the domain of the web page you are viewing, that is, the domain which appears in the browser address bar.
  • 3rd party cookies. Cookies stored under a different domain than that of the web page.

You will be wondering, how can a foreign domain set cookies in my website? Have I not stated that browsers prevent accessing cookies under other domains? It is definitely possible. To see how, you need to know that there are two ways of setting a cookie:

  • HTTP. Due to the nature of the web, in one web page, you can link to resources under other domains. When requesting a resource from a server (an HTML page, an image, a JavaScript script…) the server, before returning the resource, can send a header to the browser, with instructions to store a cookie. Servers can only set cookies under its own domain; browsers will silently reject servers trying to set cookies under a different domain. All requests to servers of a particular domain, will include all cookies from that domain. It is using this method that 3rd party cookies can be stored and retrieved.
  • JavaScript. It is also possible to write a piece of code to manipulate cookies. However, JavaScript code can only access 1st party cookies.

By default, Safari browsers reject setting any 3rd party cookie.

Example of 1st/3rd Party Cookies

Let’s follow an example, which usually helps. Consider this website (pedromonjo.com) and my colleague Jan Exner’s website (webanalyticsfordevelopers.com). I could include in my website a reference to an image in Jan’s website. So, while you are browsing my website, your browser will fetch all the contents from pedromonjo.com, except for that image under webanalyticsfordevelopers.com. In your browser’s address bar, though, you will only see pedromonjo.com.

browser address bar

How does this setup affect cookies:

  • My server will be able to read and write cookies only under pedromonjo.com.
  • Jan’s server will be able to read and write cookies only under webanalyticsfordevelopers.com.
  • Any JavaScript on my website, will only be able to read and write cookies under pedromonjo.com.

In this scenario, cookies under pedromonjo.com are 1st party cookies and cookies under webanalyticsfordevelopers.com are 3rd party cookies.

Other Properties

There are a few other properties of cookies worth knowing:

  • Expiration. Cookies can be set to expire at the end of the session (i.e. when you close the browser), at a precise date and time or after a precise number of seconds. After a cookie expires, it is deleted permanently.
  • HTTP Only. If you want to add more security to server-side a cookie, you can mark it in a way to prevent JavaScript from reading it.
  • Secure. These cookies will only be sent to the server when using HTTPS.

In future posts, I will explain some use cases, which rely mainly on cookies.



Related Posts