Don’t Fear The “Cookies” Monster

8 min
Updated:

Cookies became the Bogeyman of the 21st century for websites and their visitors. What is so threatening about these small pieces of data and should we really fear them? After reading this article you will be equipped with actionable knowledge about cookies that will allow you to sleep peacefully at night.

What is a cookie?

“A cookie is a small, flat, sweet, baked good, usually containing flour, eggs, sugar…” [Wikipedia]

These are the sweet cookies we love. Today we’re going to talk about tough web cookies and how to deal with them. According to Wikipedia a cookie is a small piece of data from a website that is stored in the user’s web browser while the user is browsing it. Every time a user loads the website, the browser sends the cookie back to the server to notify user’s previous activity.

In other words, a cookie is designed to collect data about the users. Websites use this information for different purposes. Most often it is used for analytics, advertising, localization, or improving site’s performance.

Types of cookies and how to use them

There are several types of cookies that serve different purposes. As a website owner, It is important to know them in order to create a transparent cookie policy and to comply with the local law. You may also use this information as a websites’ visitor to know what kind of data the sites collect. Below is some cookie knowledge:

Session cookies

Also known as in-memory or transient cookies. They are temporary and are erased when you close the browser. The next time you visit the website the browser will not recognize you and will treat you as a new visitor. What makes them different than other cookies is that they do not have an expiration date assigned to them. This is how the browser knows they are session cookies.

How they are used: Websites use session cookies to make sure the user is recognized when moving from one page to another. E-commerce sites use session cookies to remember what you placed in your shopping cart. Otherwise, the items placed in a shopping cart would disappear by the time you reach checkout. [AllAboutCookies.org]

Persistent cookies

Sometimes called tracking cookies, remain until you erase them or they expire. Unlike session cookies, permanent cookies will stay on your browser as long as its creators programmed them for, which means its information will be transmitted to the server every time the user visits the website, or every time a user views a resource e.g. advertisement belonging to that website.

How they are used: Persistent cookies help you improve your website’s user experience and provide personalized content. For example, users don’t not have to log in again. It can also remember the language your users chose to view your website and serve the content in the same language in their future visits. They can also be used by advertisers, as they can collect data about the user’s browsing habits over an extended period of time.

Secure cookies

These can only be transmitted over an encrypted connection (i.e. HTTPS). This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

How they are used: They allow web-based applications to store information about selected items, user preferences, registration information, and other that can be retrieved later. Secure cookies can only be transmitted via a safe protocol e.g. HTTPS.

HttpOnly cookies

Can only be used when transmitted via HTTP (or HTTPS). They are not accessible through non-HTTP APIs such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS), while leaving the threats of cross-site tracing (XCT) and cross-site request forgery (CSRF) intact.

How they are used: HttpOnly limits the access of the cookie to the HTTP protocole only. Use of secure cookies and HttpOnly flag limits the potential damage many cross-site script attacks can cause – specifically, attacks that target cookie data.

Third-party cookies

Put simply, cookies that belong to the domain other than the one that is shown in the web browser’s address bar i.e. the website that is placing the cookie. For example, if you visit getresponse.com and the domain of the cookie placed on your computer is getresponse.com, then this is the first-party cookie. However, if you visit getresponse.com and the domain of the cookie is basicanalytics.com, then this is a third-party cookie. Most browsers e.g. Google Chrome, Mozilla Firefox, Safari, IE contain settings allowing users to block third-party cookies.

How they are used: Third-party cookies are usually used for analytics and advertisement. By placing the cookie on a website advertising companies can track users throughout the web and serve ads based on user’s browsing behavior.

Supercookies

Cookies with an origin of a top-level domain e.g. .com, or a Public Suffix e.g. .co.uk. Ordinary cookies, on the other hand, have an origin of a specific domain name. Supercookies are often blocked by web browsers, as they can be a potential security concern.

How they are used: Originally, supercookies were flash cookies. With the development of technology it’s possible to track users via other techniques e.g. HTML5 session storage. They are used mainly by advertisers.

Zombie cookies

Automatically recreated after being deleted. This is possible with a help of a client-side script. The script starts by storing the cookie’s content in multiple locations, such as Flash local storage, HTML5 storage, and other client-side storage locations. When the script detects the cookie’s absence, it recreates the cookie using the data stored in these locations.

What cookies do I use on my website?

If you’re not sure what cookies are currently used on your website, you can easily check it with free browser extentions such as: Cookie Inspector (Chrome), Cookies Manager+ (Mozilla), or Safari Cookies (Safari).

Cookie-Inspector-Chrome-Amazon

Why do I need to add cookies notification on website?

In many countries, especially in Europe-based countries, the use of website cookies evokes an obligation to comply with certain legal requirements. Some laws require that you provide detailed information about how you use website cookies and obtain the website visitor’s clear, prior consent to use cookies.

According to EU cookie legislation (considered among the strictest) a website owner must obtain prior informed consent to access or store information on the user’s computer, phone, tablet, or other device.

To comply with cookie laws, you are usually required to:

  1. Determine what kind of cookies the website will set and how you will use them.
  2. Inform visitors that you set cookies, why you set them, and what they do, and then obtain their consent for such use.

Location and content of my cookies notification

Below is a sample cookies notification message that might be appropriate for your website if you are using tools such as Google Analytics. This example is taken from one of the landing pages created with GetResponse Landing Pages, which allows you to use the built in, easy to customize cookies notification module that you can add to your landing page with a single click. For more information about cookies notification, read this article.

Cookie-bar-on-GR-landing-page

Your cookies notification should also include a link to your Cookie Policy and a confirmation button. The Cookie Policy should include information about which cookies your website uses and how you use them.

Here are some free Cookie Policy generators that are worth considering:

Remember that you’ll need to adjust this message to match your specific uses of cookies and other information.

The cookie bar can be placed on top or bottom of your site, depending on laws that apply to your use of cookies.

Example of cookies notification message:

“This website uses cookies

We use cookies to make sure that our website works correctly and that you have the best experience possible. We also use cookies for basic analytics to help us improve the site. More info >”

Do EU websites comply with the cookie law?

From 15-19 September 2014, the Article 29 Working Party in partnership with national regulators with responsibility for enforcing Article 5(3) of the ePrivacy Directive 2002/58/EC conducted an audit, also called EU Cookie Sweep, of up to 478 websites in the e-commerce, media and public sectors across 8 member states.

Here are some of the most interesting Sweep’s findings:

  • 26% of websites do not provide any notification about the use of cookies,
  • 70% of the 16555 cookies recorded were third-party cookies,
  • Over 50% of the third-party cookies were set by just 25 third-party domains,
  • Only 50% of websites that inform about their use of cookies request consent,
  • Only 16% of the sites give users a granular level of control to make their cookie choices freely and refuse the use of cookies.

Fun fact:

  • The expiration dates for cookies are often exaggerated. The audit found some that will not expire until December 31, 9999, which is almost 8,000 years from now!

Cookie threats

As of May 26th 2012 the UK and other European countries are beginning to enforce laws regarding cookies. According to Polish Law, the fine for not being compliant with the cookie law can reach up to 3% of the penalized party’s revenue, gained in the preceding calendar year.

Conclusion

After reading this article you should no longer be afraid of cookies. Landing page builders such as GetResponse Landing Pages offer a built in cookies notification bar that you can add on your page with one click. There are several free solutions on the web that will allow you to create a Cookie Policy. If you’re not sure whether you have control over your cookies, simply read this article again, and check if you respond to all the points above.

Have any questions or thoughts on the web cookies? Share in the comments below!