Ever since the E.U. voted to bring in compulsory cookie warnings in 2012, the small browser-based files have never been far from people’s minds.
But not all cookies are born equal. In fact, there are lots of different types of cookies out there. Some are good, some are bad. Let’s take a closer look.
1. Session Cookies
Imagine trying to shop on Amazon if you couldn’t fill your cart until you were ready to check out. You’d have to remember all the items you wanted to buy as you browsed the site.
Without session cookies, that situation would be a reality.
It’s easiest to think of session cookies as a website’s short-term memory. They let sites recognize you as you move from page to page within their domain. Without the session cookies, you’d be treated as a new visitor every time you clicked on a new internal link.
They do not collect any information about your computer, and they contain no personally identifiable information that can link a session to a particular user.
Session cookies are temporary; when you close your browser, your computer will automatically delete them all.
2. First-Party Cookies
Also known as persistent cookies, permanent cookies, and stored cookies, first-party cookies are akin to a website’s long-term memory. They help sites to remember your information and settings when you revisit them in the future.
Without these cookies, sites would not be able to remember your preferences such as menu settings, themes, language selection, and internal bookmarks between sessions. With first-party cookies, you can make those selections on your first visit and they will be consistent until the cookie expires.
Most persistent cookies expire after one or two years. If you do not visit the site within the expiration time frame, your browser will delete the cookie. You can also remove them manually.
First-party cookies also play an important role in user authentication. If you were to disable them, you would need to re-enter your login credentials every time you visited a page.
On the downside, companies can use persistent cookies to track you. Unlike session cookies, they do record information about your browsing habits for the entire time that they are active.
3. Third-Party Cookies
Third-party cookies are the bad guys. They are the reason that cookies have such a bad reputation among internet users.
Let’s take a step back. In the case of first-party cookies, a cookie’s domain will match the domain of the site you’re visiting. A third-party cookie originates from a different domain.
Because it is not coming from the site you’re looking at, a third-party cookie is not providing any of the benefits of session cookies and first-party cookies that we just discussed.
Instead, it has one sole focus—to track you. The tracking can take many forms; the cookies can learn about your browsing history, online behavior, demographics, spending habits, and more.
Because of their ability to track, third-party cookies have become a favorite of advertising networks in a bid to drive up their sales and pageviews.
Today, most browsers provide a straightforward way of blocking third-party cookies. We strongly recommend that you take the necessary steps in your browser of choice.
If you’re using Chrome and want to block cookies, go to More > Settings > Advanced > Privacy and Security > Content Settings > Cookies > Block Third-Party Cookies.
4. Secure Cookies
The three types of cookies we’ve covered so far are the most well-known and the most common. But there are a few others you need to be aware of.
The first is a secure cookie. It can only be transmitted over an encrypted connection. Typically, that means HTTPS.
As long as the cookie’s “Secure” attribute is active, the user agent will not transmit the cookie over an unencrypted channel. Without the Secure flag, the cookie is sent in clear text and can be intercepted by unauthorized third-parties.
However, even with the Secure flag, developers should not use a cookie to store sensitive information. In practice, the flag only protects a cookie’s confidentiality. A network attacker could overwrite secure cookies from an insecure connection. This is especially true if a site has both an HTTP and HTTPS version.
5. HTTP-Only Cookies
Secure cookies are often also HTTP-only cookies. The two flags work in tandem to help to reduce a cookie’s vulnerability to a cross-site scripting (XSS) attack.
In an XSS attack, a hacker injects malicious code into trusted websites. A browser cannot tell that the script should not be trusted. Therefore, the script can access the browser’s data about the infected site, including cookies.
6. Flash Cookies
A Flash cookie is the most common type of supercookie. In case you’re not aware, a supercookie performs many of the same functions as a regular cookie, but they are more difficult to find and delete.
In the case of Flash cookies, developers use the Flash plugin to hide cookies from your browser’s native cookie management tools.
Flash cookies are available to all browsers (so using one browser for your credit card and one for downloading torrents would have negligible security benefits). They can hold 100KB of data compared to an HTTP cookies’ mere 4KBb.
(We’ve written about supercookies and why they are dangerous if you would like to learn more.)
7. Zombie Cookies
A zombie cookie is closely tied to a Flash cookie. A zombie cookie can instantly recreate itself if someone deletes it. The recreation is possible thanks to backups stored outside a browser’s regular cookie storage folder—often as a Flash Local Shared Object or as HTML5 Web Storage.
The recreation relies on Quantcast technology. Because Flash cookie stores a unique user ID in Adobe Flash player’s storage bin, Quantcast can reapply it to a new HTTP cookie if the old one is removed.
Learn How to Manage Your Cookies
It’s important to realize that not all cookies are bad. Without them, the web would not be able to function in the way we have come to expect.