Updated 1 day ago
When you log into a website, close your browser, and return the next day still logged in—that's cookies. When your shopping cart remembers what you added last week—cookies. When ads follow you across the Internet knowing what you browsed yesterday—also cookies.
Cookies are small pieces of data that websites store on your computer. Your browser sends them back automatically with every request. This simple mechanism is what makes the modern web feel continuous rather than amnesiac.
The Problem Cookies Solve
HTTP was designed to forget. Every request arrives as if from a stranger. This is elegant for serving static pages—no state to track, no memory to corrupt. But it creates a problem: how do you stay logged in? How does a shopping cart persist? How does a website know you're the same person who was here five seconds ago?
Cookies are the answer. They give servers a way to leave a note on your computer that your browser will show them next time. The server says "remember this," your browser stores it, and every subsequent request includes that note.
How Cookies Work
When you visit a website, the server can include a Set-Cookie header in its response:
Your browser stores this and automatically includes it in future requests:
This happens invisibly. You never see it. Your browser handles the storage and transmission based on rules the server defines.
The Anatomy of a Cookie
Domain and Path control where the cookie is sent. A cookie set for example.com goes to example.com and its subdomains. The Path restricts it to specific URLs.
Expires and Max-Age determine lifespan. Without these, the cookie dies when you close your browser—a session cookie. With them, the cookie persists—surviving browser restarts until it expires or you delete it.
Secure means HTTPS only. The cookie never travels over unencrypted connections where it could be intercepted.
HttpOnly means JavaScript can't touch it. The cookie exists only for HTTP communication, invisible to scripts running on the page.
SameSite controls cross-site behavior:
- Strict: Never sent with cross-site requests
- Lax: Sent with navigation but not embedded requests
- None: Sent everywhere (requires Secure)
First-Party vs. Third-Party
When you're on example.com and it sets a cookie, that's first-party. The site you're visiting is remembering something about you.
When you're on example.com but a cookie from analytics.com gets set through an embedded tracker, that's third-party. A site you didn't visit is remembering something about you.
This distinction matters enormously. First-party cookies enable your login and shopping cart. Third-party cookies enable cross-site tracking—following you across the web, building a profile of everywhere you've been.
What started as a feature for convenience became infrastructure for surveillance. Browsers are now actively restricting third-party cookies, trying to preserve the useful memory while eliminating the creepy kind.
What Cookies Enable
Sessions: You log in once, the server creates a session and hands you a session ID cookie. Every subsequent request proves you're still you. Without this, you'd log in on every page load.
Preferences: Language selection, dark mode, dashboard layout. Cookies remember so you don't have to reconfigure on every visit.
Shopping carts: Add items, close your browser, come back tomorrow. The cart persists because a cookie told the server what to hold.
Analytics: Which pages you visit, how long you stay, where you came from. This helps sites improve—and also feeds the tracking ecosystem.
Security: Why Those Attributes Matter
Every security attribute on a cookie exists because someone found a way to exploit its absence.
Without Secure: Your session cookie travels over unencrypted HTTP. Anyone on the same WiFi network can read it, steal your session, become you.
Without HttpOnly: A cross-site scripting attack injects JavaScript that reads document.cookie and sends your session to an attacker. You're logged out; they're logged in as you.
Without SameSite: A malicious site embeds a request to your bank. Your browser helpfully attaches your banking cookies. The attacker just transferred money using your authenticated session.
The attributes aren't bureaucratic checkboxes. Each one closes a specific attack vector.
Privacy and Consent
Third-party tracking cookies triggered regulations. The EU's GDPR and California's CCPA require websites to ask before setting non-essential cookies.
This is why every website now shows a consent banner. Essential cookies—the ones that make the site work—don't require consent. Analytics, advertising, tracking—those need your permission.
The law caught up to the technology. Whether the enforcement is meaningful is another question.
Limitations
Cookies are intentionally small:
- Maximum ~4KB per cookie
- At least 50 cookies per domain
- At least 3,000 cookies total
These limits exist because cookies travel with every request. Large cookies mean slower browsing. If you need to store substantial data client-side, use Local Storage or IndexedDB instead.
The Web Remembering and Forgetting
Cookies solved the amnesia built into HTTP. They gave the stateless web a memory. This enabled authentication, personalization, commerce—the interactive web we take for granted.
But memory can be invasive. Third-party cookies turned remembering into surveillance. Now browsers are teaching the web to forget again, selectively—preserving the first-party memory that makes sites work while blocking the third-party tracking that follows you everywhere.
The technology is simple: small text files, automatically transmitted. The implications—for usability, security, and privacy—are anything but.
Frequently Asked Questions About Cookies
Was this page helpful?