Http Cookie

An HTTP (Hypertext Transfer Protocol) cookie is a piece of data that is stored on a user's computer when it accesses a website and is then later retrieved by that site. Also known as an “Internet cookie,” “web cookie,” or “browser cookie,” this data may record and track a user's browsing history, account details, or form entries, among other information. While some types of cookies are necessary for web browsers to function, their use has raised concerns about violation of privacy.

HTTP cookies were introduced by Netscape Communications in the first edition of its Netscape Navigator browser, released in 1994. The name comes from “magic cookie,” a computing term used since the 1970s to describe a piece of data exchanged between programs, often for identification purposes.

In basic HTTP functioning, every time a browser interacts with the server hosting a particular website, the server treats the connection as a brand new request, not recognizing it from previous interactions. As such, HTTP is considered a “stateless” protocol, meaning it stores no information on its own. In order for a website or other application to remember such things as the identity of a logged-in user or the items placed in a virtual shopping cart, when a browser connects with a host server for the first time, the server stores a cookie on the browser's computer. The next time the browser connects to the server, the cookie reminds the application of the stored information—that is, its state. If the user does something to change the application's state, such as adding an additional item to his or her virtual shopping cart, the server updates the information in the cookie.

Different types of cookies are used for different purposes. All cookies fall into one of two categories: session cookies, which are stored only for the length of a user's browsing session and are deleted when the browser is closed, and persistent cookies, which remain stored on the user's computer until they either reach a predetermined expiration date or are manually deleted. First-party cookies are those created and stored by a site the user chooses to visit, while third-party cookies are installed by some entity other than the site the user is visiting, often by companies advertising on that site. First-party cookies include authentication cookies, which are created when a user logs into an account on a particular website and identify that user until he or she logs out, and may be either session cookies or persistent cookies. Third-party cookies are usually persistent. One common type is the third-party tracking cookie; these cookies maintain a record of a user's browsing history, which companies may then use to gather consumer data or to more precisely target advertisements. Other types of cookies include HTTP-only cookies, which are only used when HTTP requests are being transmitted and thus are more secure; flash cookies or local shared objects (LSOs), which are stored by websites that use Adobe Flash and are more difficult to delete; and opt-out cookies, which prevent advertising companies from showing users targeted ads.

The use of third-party tracking cookies has raised concerns among users who do not want companies to be able to monitor their online habits. Responses to these concerns include the European Union's Directive on Privacy and Electronic Communications, introduced in 2002 and updated in 2009, which requires companies to obtain consent before installing unnecessary cookies on a user's computer. In addition, most browsers have the ability to block third-party cookies, though some companies have developed methods of circumventing that block. In 2012, for example, Google was discovered to have been deliberately defying the Safari browser's default privacy setting, which bans the installation of third-party cookies.

—Randa Tantawi, PhD