ISE Blog

If You Give a Dev a Cookie...

Internet CookieIn this blog post, we talk about what a cookie is in the context of web development, how websites and web services use cookies, and some of the pitfalls to watch out for when using cookies. Let’s get started!

What is a Cookie?

No, it’s not chocolate chip or oatmeal raisin – a cookie is a piece of information sent from a website server to the browser and is stored in the browser itself. Cookies are used to maintain some sort of state on the browser. For example, it could contain items in a user’s cart on a shopping website, a user’s login information, or user preferences. Typically, cookies are used to enhance user experience – such as saving a user’s viewing preferences between site visits – or track user data in some way.

A cookie consists of three parts:

  1. Name – the name of the cookie identifies it as a unique piece of data. This is given to the cookie by the server it came from.  For example, if the cookie is storing the items in a shopping cart, the name of the cookie may be “cart_items” or “__cart”
  2. Value – the value of the cookie is the data itself. To continue with our example, the value of our shopping cart cookie would be a serialized list of the items in the cart.
  3. Attributes – cookie attributes are a number of predefined characteristics of the cookie, that inform how the browser is to handle the cookie data. For example, a common field used is the “timeout” field. This tells the browser how long it will keep the cookie before the data expires and it is no longer considered valid. Another attribute is the domain, or what website the cookie originated from.

Different Kinds of Cookies

While the ingredients of cookies are the same, there are different ways to designate cookies based on intent and behavior.

The first distinction we make is between session and persistent cookies. Session cookies are cookies that only exist for the duration of a user’s session, or a separate visit to a given website. Persistent cookies are cookies that last between sessions. For example, if a user customizes their profile to redirect to a specific page on a website when they login, they will want that information to persist between visits. One way of storing that data would be with a persistent cookie. (The benefit of using a persistent cookie in this case would be to offload the data from the server so it is readily available in the browser rather than making numerous subsequent server calls to retrieve that data).

Another distinction we can make is between first-party and third-party cookies. First-party cookies are cookies that are generated from the site you are on. These are only accessible on the site that created it. This means that the cookies from the fictitious abc123.com are not shared with the also fictitious xyz456.com. In contrast, third-party cookies are cookies that come from a third-party service that the site you are visiting pulls in to utilize. This essentially allows user data from a different site to be shared with the site you are on.

Now, you may be thinking, “How do third-party cookies work if I can only access the cookie on the site that created it?” Certain sites opt in to use cookies from another site in order to add functionality to their own site. A common use case is for a site to use cookies from an ad company to display targeted ads to a user or to gather user patterns.

For a site to gain access to another site’s cookies, that site has to specifically request a cookie from another service and save it in the browser. At this point, it is important to note that if a website does this, there is a moral obligation (and in some cases, legal obligation) to have the user accept the use of third-party cookies on the website since you are sharing data about the user, even if it may be de-identified. This means you must have the user actively consent – e.g. they must click a button or take some action – to using cookies. You may also want to provide a way for users to opt out of using the third-party cookies your site uses, in the interest of protecting their data.

Pitfalls when Using Cookies

While cookies can be a powerful tool for improving the user experience, there are some dangers when using them. Most of these are focused around protecting user credentials and identity.

The first big tip is to never store sensitive data in cookies, such as user credentials or credit card data. This data can be exposed in packet-sniffing attacks, where a malicious actor spies on the network, intercepts packets sent between the server and browser, and extracts unencrypted data. A protection against this is to always use TLS encryption when sending data to prevent packet sniffing (setting an attribute on the cookie will require that the cookie is only sent with TLS encryption). A common pitfall here is that an HTTPS connection is used on the login page, but other pages are only protected with an HTTP connection.

Another good practice is to prevent a cookie from being accessed with JavaScript so a malicious script cannot tamper with the contents of the cookie. Changing the contents of the cookie could be leveraged in a session fixation attack or a cross-site scripting attack. To do this, you can set an attribute on the cookie that makes it unavailable to any JavaScript executing on the site.

A final consideration when using cookies is how your user will respond. An increasing number of users are becoming more focused on privacy of their personal data, including how they browse the web. If your user base is among these, running targeted ads or using third-party cookies to gather their preferences and share that information with other sites may drive customers away from your site.

Conclusion

Cookies are a good way to reduce load on the server, enhance user experience, provide opportunities to monetize a website, and gather data on usage patterns. However, it is important to be conscious of the data you are gathering, consider your user base, and if you decide to use third-party cookies, ensure you are communicating to the user what data you are capturing and sharing.


What other concerns or tips do you have for using cookies on websites? Contact us or join in the conversation below! 

Jon Opdahl, Software Engineer

Jon Opdahl, Software Engineer

Jon Opdahl is a full-stack web developer and web technology practice lead at Innovative Software Engineering. He has been with ISE since June of 2017. Fascinated with JavaScript, he loves working with Node.js and front-end frameworks like React and Angular. He is passionate about designing meaningful software that engages users and drives business. Outside of work, he is an avid baseball and hockey fan and enjoys golfing and tennis, as well as spending time with his wife.