What are Cookies?

When browsing social media, shopping, or doing almost anything else online, you might have seen a websites requesting permission to collect and use your cookies. Like many people, you probably clicked on the "approve" button and continued to do what you wanted to do. But did you ever think about what cookies are, and what companies and websites are actually collecting from your device? Why are they even needed?

Let's dive in...
cookies that you eat graphic
What are Cookies?
In short, cookies are tiny pieces of data stored on a device by a web browser. They are usually text files, and they are most commonly used to identify your device on a network, like an identification card(like the Aadhar card number for Indians).

When you browse the web on your computer, small pieces of information are stored. These pieces range from saved usernames and passwords to the likes and dislikes you left on the page.

One analogy that I can provide you for visualizing what cookies are is imagine yourself visiting your school canteen, where you visit quite often. When you enter, the canteen worker will probably already know that you favorite food is samosa, you are a fan of their pastries, and you like to sit on that table in the corner. They do not know these facts about you by reading your mind, rather, they know it because you have done these things before, multiple times.

These are how cookies work. Over time, as you repeat actions and visit websites, the data from stored cookies can be used to create a virtual profile of you. Your likes, your dislikes, your family members, your pets, what you need, what you want can all be inferred from the cookies.

How are Cookies Sent and Stored?
Cookies are created whenever you visit a website. When you visit a website for the first time, the server the website is hosted on sends back the webpage you requested and a small text file, known as a cookie. The next time you visit the website, your browser will send a request for the website along with the cookie. These cookies identify who you are, and provide whatever data that the website may want or need to function properly.

These cookies are all stored locally on your device, and are only sent to the web server when a website requests it. These cookies are stored as dictionaries, or key:value pairs. That way, whenever a website requests a specific piece of data, the data can be identified and sent as quickly as possible.

All cookies are stored locally, which means that your data is only stored on your computer. However, this data can be sent to any website whenever they request it, which is what all the privacy scandals are about- sending enough user data to a website to learn enough to breach someone's privacy.

What are Cookies Used for?
Cookies have many uses, most of which you should be aware of. The three main uses of cookies are below (via Kaspersky)

  1. Session management cookies are cookies stored only for your web browsing session (from when you open your browser to when you close it). These cookies allow websites to have auto-login features and save user preferences, for example, whether or not you turned on dark mode the last time you visited Reddit.
  2. Personalisation cookies are cookies that store user data, more specifically, user data on what you have searched up on the web. These cookies are most commonly used to provide personalized advertisements.
  3. Tracking: Shopping sites use cookies to track items users previously viewed, allowing the sites to suggest other goods they might like and keep items in shopping carts while they continue shopping.

Problems with Cookies
problem with cookies graphic
Cookies are essential to the internet today, but they still have problems. Below are some of the most common problems.

Since cookies are stored locally, if an attacker gets access to the raw text cookies on your device, they can get an authorization for certain websites allowing them to log in as you. This is the same concept by which "keep me signed in" buttons work, allowing a user to send a cookie with an authorization instead of logging in again.

When a website receives a request/action in the form of cookies, the server cannot distinguish whether the user requested this action in the current session or whether the cookies saved on the user's computer has requested it. Due to this, an attacker can simply change the content of the cookies so that the user's computer will be sending requests to the website that the user did not request for.

The model of you that can be made using your cookies is extremely advanced and specific. This data is worth a lot, and can be sold to advertising agencies to create targeted advertisements.

You can find read further about cookies in some other blogs such as the one by Kaspersky.

Happy Coding! :)

30