WWW FAQs: What are HTTP "cookies?"

2006-07-26: A "cookie" is a small piece of information that a website stores on your computer. When you visit a website, that website can try to store a small amount of information on your computer. If your computer accepts the cookie, then your web browser will keep sending the cookie back to the website every time you access it.

Cookies are used for two main purposes: session management and long-term user identification.

Cookies and Session Management

Some websites require users to log in to access certain features. The website behaves differently depending on who is logged in. Everything that happens between logging in to the website and logging out is called a "session." Two good examples you might be familiar with MySpace and LiveJournal. Once you log in, the website has to keep track of who you are at all times, so that it can show you your personal pages, not someone else's.

Websites can do this in three ways:

1. The website can keep track of who you are by placing a special identifier in every single URL on the site. But that makes the programming of the site painful and creates URLs that only work for one user. It's also tricky to make those URLs work again later if the user bookmarks them.

2. The website can use HTTP authentication, an "old-fashioned" way of forcing users to log in to a website. But while HTTP authentication works, the browser doesn't give the designer any control over the appearance of the logon prompt, and there's no way to create a "log out" button. Also, it's not very secure - your password goes out again with every single request sent to the web server. So most designers don't use HTTP authentication, except for simple internal sits.

3. The website can simply set a cookie when you first log in. After that, every request from your web browser contains the cookie, and the website can just look at the cookie to confirm that you are who you say you are. No ugly links or broken bookmarks required. And since the cookie can be generated at random and deleted from the server after, let's say, 24 hours, it's much more secure than the second method.

Cookies like these usually last only for your current "session" of using your computer. Most websites also offer a "Log Out" button that will delete the cookie right away.

"Session cookies" like these are both harmless and useful, and it's generally a good idea for your web browser to accept them. Security and privacy are real concerns, but refusing to accept any cookies is too drastic. Many useful websites won't work without session cookies.

Cookies and Long-Term User Identification

The other type of cookie is a user identification cookie. This is a bit like a session cookie, except that it is not deleted at the end of your computer session. Many websites set such permanent cookies as a convenience to save you the trouble of logging in again every time you visit the site.

This isn't a terrible idea - as long as your computer is private. You don't want that on a public computer! That's why most sites make it an optional checkbox on the login page.

Other websites set permanent cookies as a way to keep track of your identity, even though they don't require users to log on. That means that even though the people running the site might not know your real name, they do know your habits.

When sites that don't require you to log on share cookie data with sites that do, they can build a complete picture of what you do on the Internet. And that's not good for your personal privacy.

That's why you may prefer to set your browser to store session cookies only, and reject cookies if the website insists on storing them for longer periods of time. For more information, see How do I configure my web browser to accept or reject cookies?

Legal Note: yes, you may use sample HTML, Javascript, PHP and other code presented above in your own projects. You may not reproduce large portions of the text of the article without our express permission.

Got a LiveJournal account? Keep up with the latest articles in this FAQ by adding our syndicated feed to your friends list!