DEV Community

BysonTech
BysonTech

Posted on

Understanding Cookies from the Ground Up: Part 1 - Fundamentals and the Critical Difference between 1st and 3rd Party Cookies

#webdev #beginners #architecture #security

When developing web applications, we often encounter challenges related to session management or tracking. Most of these issues trace back to a fundamental understanding of Cookies.

  • "Why aren't my cookies being sent as expected?"
  • "Why does a cookie persist even after I try to delete it?"
  • "Why does the behavior change depending on the browser?"

To solve these problems, it is essential to revisit the basics of how cookies work. In this series, I will organize the fundamentals of cookies, specifically tailored for engineers. In this first part, we will cover the definition of cookies and the crucial distinction between 1st Party and 3rd Party Cookies.

What is a Cookie?

A Cookie is a small piece of data stored in the user's browser.

Since HTTP is a "stateless" protocol—meaning each request is independent and the server doesn't remember previous interactions—cookies play a vital role in maintaining state.

Key Roles of Cookies:

  1. Session Management: Keeping users logged in and managing shopping carts.
  2. Personalization: Saving user settings like dark mode or language preferences.
  3. Tracking: Identifying users across different pages or visits.

1st Party vs. 3rd Party Cookies

One of the most important concepts to understand in modern web development is the difference between these two types.

1. 1st Party Cookies

  • Definition: Cookies issued by the domain the user is currently visiting.
  • Example: If you are visiting example.com, any cookie issued by example.com is a 1st party cookie.
  • Characteristics: These are essential for core site functionality (e.g., login sessions) and face fewer restrictions from browsers.

2. 3rd Party Cookies

  • Definition: Cookies issued by a domain other than the one the user is currently visiting.
  • Example: While visiting example.com, an ad network script from ad-network.net issues its own cookie.
  • Characteristics: Traditionally used for cross-site tracking and advertising. However, they are now heavily restricted or blocked by most modern browsers (Safari, Firefox, and increasingly Chrome) due to privacy concerns.

Why the Distinction Matters

In the context of Risk-Based Authentication (RBA) or security design, understanding this difference is mandatory. You need to know:

  • Which browser is accessing the site?
  • Has this device been authenticated before?
  • Is the cookie consistent across the site?

To build robust systems, you should aim for designs that rely on secure 1st Party Cookies rather than unstable 3rd party ones.

Summary of Part 1

  • Cookies are small data fragments stored in the browser.
  • They provide "state" to the stateless HTTP protocol.
  • 1st Party Cookies are issued by the site itself (essential for UX).
  • 3rd Party Cookies are issued by external domains (heavily restricted).

Understanding these basics is the prerequisite for diving into implementation and browser-specific behaviors.

What's Next?

In Part 2, we will explore "Browser Cookie Behavior" in more detail, including:

  • Where exactly does the browser store cookies?
  • When are they sent?
  • Differences between Chrome, Safari, and Edge.

Top comments (0)