How the Cookie Crumbles: The Truth about Web Cookies

“’C’ is for ‘cookie’,” sang Cookie Monster on Sesame Street many years ago, “it’s good enough for me.” Cookie Monster would be disappointed to learn, however, that billions of the world’s cookies are not only inedible, but exist only as small files on people’s computer hard drives. These are web cookies, provided by the web sites that you visit. Like most Internet technologies, they can be immensely useful tools or dangerous infringements on your privacy. Here’s a summary of what cookies are, the difference between bad and good cookies, and how to protect yourself from the bad ones.

What is a cookie?

While you’re probably well-versed with what a cookie is, let’s get a definition refresher. A cookie is a small file that is served to your browser by a web server when you visit a web site. It acts as a kind of calling card, a small memento that usually doesn’t do anything until you visit that site again. When you visit a web site and it magically remembers your name, it’s because your browser stored a cookie related to that site the first time you visited it and told it your name.

Good Cookies and Bad Cookies

Cookies can be extraordinarily useful. When you visit an e-commerce site, you are able to click around and put things in your shopping cart because of a type of cookie called a session cookie, which identifies your session with that site so that every HTTP request your browser sends to it is associated with that session. Otherwise, the web server would forget all about you after each request, and you wouldn’t be able to shop for anything. (The horror!) Session cookies generally expire after a certain amount of inactivity, which is why you have to log in again the next day.

Other “good cookies,” like the one that remembers your name, can also help the web server remember settings and preferences that you chose with the site. Authentication cookies are used by web sites that require you to log in with a user name and password, and enable you to browse through a site without having to retype your password on every page. Authentication cookies generally store your login credentials in an encrypted form.

A “bad cookie” is, of course, a relative term; it depends on your perspective. The variety of cookie known as a tracking cookie is viewed with deserved suspicion because it can be used to compile your browsing history and share it with people you don’t know. Generally, these cookies are served to your browser as a result of third-party advertisements on a web page. When an advertiser gives you cookies form different web sites you visit that contain that advertiser’s ads, those cookies can tell the advertiser what sites you’ve visited, enabling the advertiser to target advertising to you based on your browsing habits. Advertisers love this, but you might find it a bit unnerving.

Although cookies themselves cannot contain viruses or other malware, certain vulnerabilities in cookies and browsers can be exploited by hackers to, for example, steal your authentication cookies and the login credentials they contain. Browser developers usually patch browser-related vulnerabilities as soon as they are found, and developers for web sites are usually careful to program their cookies so as to mitigate the possibility of hacking.

Protecting Yourself from Bad Cookies

If you don’t like the idea of advertisers tracking you browsing habits, you can turn on your browser’s “Do Not Track” mechanism, which tells web sites not to place tracking cookies. However, there is no law or standard that requires sites to respect your preferences, and this setting may block some cookies that are actually useful.

Some browsers have a “private browsing” mode that blocks all cookies. You can also set your browser to always block cookies (whether in “private browsing” mode or not), but this will certainly block the useful cookies as well as the bad ones.

In any case, it’s a good idea to clear your cookies once in a while, because they do accumulate. Some browsers let you pick and choose which cookies to delete.

So be a smart cookie, and toss your cookies (to coin a phrase) occasionally. Cookie Monster won’t mind; he can’t eat them anyway.