DEV Community

Cover image for 🍪Cookies and Cookie Tracking Explained
Hargunbeer Singh
Hargunbeer Singh

Posted on

🍪Cookies and Cookie Tracking Explained


A cookie is a small piece of information stored in the client's computer by a particular website via a web browser. They are used to personalize a user's experience on the particular website. It usually contains the user's preferences and inputs. A user can customize their web browser to accept, reject or delete cookies. Cookies can be modified at the server level by using the Set-Cookie HTTP header. It can be modified at the client level by using document.cookie in JavaScript.

Cookies are shared to the server on consequent HTTP request. When you perform a HTTP GET request, the server returns you the webpage(HTML, CSS and JavaScript) along with some cookies which would be populated with data as you surf the specific web page. When you form another HTTP request to the server, the cookies which were populated with your data(preferences) are sent to the server. Thats how cookies help in storing the user's preferences. Cookies transactions take place between the user and the server using the Set-Cookie header.

There are two types of cookies - First Party Cookies and Third Party Cookies. First Party cookies, as the name says, are the cookies used by the website you are surfing to improve user experience. Third Party cookies are the cookies which are used by third-party services to improve the user experience, these are mostly advert companies, which improve user experience, like Google Ads which suggests you proper websites in its search ranking.

Cookies are not stored as code on the user's machine, it is rather stored as simple files, which cannot be executed. Stored cookies cannot even manipulate the elements of your screen, it can't even access your mic or webcam. The only worry about cookies is thier system of allowing data(preferences) to be sent to the server without anybody noticing.


  • When you turn on the dark mode on YouTube, it would be stored in the cookies and would be sent back via a POST request as soon as you change the color mode. After that when you perform a consequent GET request to the YouTube server, it would return you the YouTube web page and the cookies populated with your preferences, this improves user experience as the user does not need to change the color mode on consequent visits to the particular website.
  • When you log into a website on a device, an encrypted unique token is stored in the cookie which keeps you logged in the website everytime you open the website.
  • Cookies are used to store the items in the shopping cart in an ecommerce website, they improve user experience as when you visit the website consequent times, you would not need to re-fill your cart with the items you had selected in the last session.

Web Security

  • You(as a developer) should never store sensitive information, like login information, in cookies as a hacker can perform XSS attacks or Session hijacking at1tacks to retrieve the cookies, which would cause loss of privacy of the sensitive information.
  • If a hacker steals your cookie on a specific website via some attack(like XSS), the attacked can use your cookie to pretend to be you on that specific website and he might do harm to your privacy.

Cookie Tracking

Cookie tracking is performed by third-party cookies usually, tracking cookies are used by third-parties to monitor the user's Web surfing habits and use the data for marketing purposes, like Google and Facebook ads. These types of cookies are generally considered as an invasion of privacy. When third-party ads are placed on a website, the third-party ad providers are also storing the user's data in cookies and then using the data for marketing and advertising purposes. For example: Big Tech giants, like google and facebook, store your data via cookies through ads as you surf the internet and then use that data to show you related advertisments, thus increasing their profits. Because of t4e privacy invasion of the users due to cookies, the EU(European Union) introduced the cookie law. The cookie law states that the websites need to ask for the user's permission to use cookies and give them a chance to opt out, thats why most of the websites ask for the user's permission before storing cookies.

In very rare cases, some ads might also access your camera if you allow to, or access it directly if you have allowed the main website to access your webcam. The advertising companies would then capture your facial expressions while watching a video add and determine whether you were happy or sad while watching it and then use the data for marketing. This can happen in very rare cases, research on this type of technology is being done at MIT Media Labs.

Personal Opinion

Users should be given the right to opt in for first-party cookies and just opt out for the third-party ones, but this gets very complex(from a developer perspective) and also it is very difficult to present to the user.

Discussion (0)