Cookies: Back to Basics
12 Mar 2017 » MSA
I must admit it: I love cookies. I can eat one cookie pack in a couple of days. Therefore, I try to keep my kitchen free of cookies. However, this is not what I am going to explain here. Today I am going to take a step back and, instead of advanced topics, I want to review a basic concept: cookies. I know most of you know fairly well what cookies are. However, if you are still trying to get your head around cookies, I recommend you keep on reading. You might also find useful ideas to explain cookies to other people.
What are Cookies
The first thing to review is what cookies really are. They are pieces of text that a browser stores, related to a website. I remember, back in the 90’s, people believing that cookies contained virus or other evil code. A friend of mine had an application to continuously remove any cookies from Internet Explorer, as he thought they could infect his precious computer. As I have just said, cookies only contain text, and only a few characters in general. It is not possible to execute them, like an application.
In fact, you can review the contents of them very easily. Browser offer tools to inspect them and there are also a number of browser extension. In Chrome, you just need to open the Developer Tools (CTRL + Shift + I) and click on the “Application” Tab:
All cookies must be store under a domain. A browser will reject a cookie that is not stored under a domain. And most important: the browser will read or write cookies of a domain, only when accessing that domain. In other words, cookies stored under pedromonjo.com can only be accessed by the website in pedromonjo.com.
Finally, it is worth noting that browsers do not share cookies among them in the same computer: each of them has its own private cookie jar.
1st vs 3rd Party Cookies
I am sure you have heard these concepts before. In this section, I want to make sure you understand them.
So, what are these cookies:
- 1st party cookies. Cookies which are stored under the domain of the web page you are viewing, that is, the domain which appears in the browser address bar.
- 3rd party cookies. Cookies stored under a different domain than that of the web page.
You will be wondering, how can a foreign domain set cookies in my website? Have I not stated that browsers prevent accessing cookies under other domains? It is definitely possible. To see how, you need to know that there are two ways of setting a cookie:
By default, Safari browsers reject setting any 3rd party cookie.
Example of 1st/3rd Party Cookies
Let’s follow an example, which usually helps. Consider this website (pedromonjo.com) and my colleague Jan Exner’s website (webanalyticsfordevelopers.com). I could include in my website a reference to an image in Jan’s website. So, while you are browsing my website, your browser will fetch all the contents from pedromonjo.com, except for that image under webanalyticsfordevelopers.com. In your browser’s address bar, though, you will only see pedromonjo.com.
How does this setup affect cookies:
- My server will be able to read and write cookies only under pedromonjo.com.
- Jan’s server will be able to read and write cookies only under webanalyticsfordevelopers.com.
In this scenario, cookies under pedromonjo.com are 1st party cookies and cookies under webanalyticsfordevelopers.com are 3rd party cookies.
There are a few other properties of cookies worth knowing:
- Expiration. Cookies can be set to expire at the end of the session (i.e. when you close the browser), at a precise date and time or after a precise number of seconds. After a cookie expires, it is deleted permanently.
- Secure. These cookies will only be sent to the server when using HTTPS.
In future posts, I will explain some use cases, which rely mainly on cookies.