What Is a Cookie? A Clear Introduction from the Basics (Part 1)

#webdev #security #beginners #architecture

What Is a Cookie? A Clear Introduction from the Basics (Part 1)

A while ago, I worked on a project that introduced Risk-Based Authentication (RBA) — the mechanism that detects suspicious logins (such as foreign access or unusual behavior) and requires additional verification.

Before we could even design the authentication logic, we ran into a prerequisite concept: cookies.

To be honest, even after working with Java and React, I was in the familiar situation of

“I kind of know what cookies are, but I can’t explain them clearly.”

No one on the team had a solid explanation either, so I decided to start by revisiting how cookies actually work from the ground up.

This article is for people who are at the same stage I was:

What exactly is a cookie?
Why do we need it in the first place?

I’ll focus only on the fundamentals.

What Is a Cookie?

In short, a cookie is

a small piece of data that a website stores in your browser.

When a browser sends an HTTP request to a server, cookies are automatically included in the request.

This allows the server to continuously recognize things like:

Whether this user has visited before
Whether the user is authenticated
Which preferences or settings are in use

HTTP itself is stateless by design — it does not remember past requests.

Cookies are one of the primary mechanisms used to fill this gap.

Why Are Cookies Necessary?

Cookies serve many purposes, but their core roles can be summarized into two main ones.

1. User Identification

To distinguish authenticated users, cookies often store a session ID or a token identifier.

Without cookies, login information would be lost on every page transition.

The reason users can stay logged in is that cookies are automatically sent with each request.

2. Persisting User Preferences

Cookies are also used to remember user-specific settings such as:

Dark mode
Language preferences
Partially completed forms

In other words, cookies exist to maintain state.

In the project I worked on, they were mainly used for the first purpose: authentication.

The Difference Between 1st-Party and 3rd-Party Cookies

When learning about cookies, you will almost always encounter the distinction between

1st-party cookies and 3rd-party cookies.

The difference is based on which domain issued the cookie.

1st-Party Cookies

Cookies issued by the site you are currently visiting.

Example:

If you are browsing example.com and its server returns a Set-Cookie header, that cookie is a 1st-party cookie.

Characteristics:

Used for authentication and session management
Few restrictions in modern browsers
Essential for basic web application behavior

3rd-Party Cookies

Cookies issued by a domain different from the one you are visiting.

Example:

An advertising network like ad.example.net issuing its own cookie inside a page you’re viewing.

Characteristics:

Traditionally used for ads and cross-site tracking
Strongly restricted by most modern browsers
Being phased out entirely (Chrome included, gradually)

Why This Distinction Matters

In risk-based authentication, decisions are made based on signals such as:

Which browser the request comes from
Whether the same device has authenticated before
When and where a cookie was issued
Whether consistency is maintained within the same site

Cookie data is especially important for detecting suspicious behavior.

For this reason, systems are typically designed to rely on safe, controllable 1st-party cookies, while avoiding unnecessary dependence on 3rd-party cookies.

Understanding this distinction is a prerequisite for making sound design and implementation decisions later.

Summary

Cookies are small pieces of data stored in the browser
HTTP is stateless, so cookies enable state management
Cookies are widely used for authentication, preferences, and user identification
1st-party cookies are issued by the site itself
3rd-party cookies are issued by external domains and are heavily restricted today
Proper cookie handling is fundamental to risk-based authentication