What are cookies?

Google just started testing a new tracking system that will display ads based on your web browsing history. The browsing history that Google uses exists in cookies rather than in the web browser cache.

I'm working on a posting about defending against Google tracking, but it requires a background in cookies. That posting was getting long, and the topic stands alone, so here is the introduction to cookies.

Cookies are small, plain-text data files that live somewhere on your computer (exactly where depends on the web browser). Cookies are written to your computer by your web browser responding to commands from a website. A website can write multiple cookies, but (barring software bugs) can only see the cookies they wrote.

Cookies can also be written by small programs written in JavaScript that live inside a web page. A great example of that is the website preferences page at Karenware.com.

Many articles comment on the type of information contained in cookies. The data they contain can be anything at all, provided it is plain text and not very large (the maximum size of a cookie varies by browser).  

Cookies are categorized two ways: according to their lifespan and where they came from.


Short-lived cookies exist only for the current web browser session. When you close your browser, all such cookies go away. Not surprisingly, these are called session cookies (the IE7 help pages also refer to them as temporary cookies). For tracking purposes, session cookies pose no danger.  

The majority of cookies are more permanent. It's not unusual for a website to set the expiration date of a cookie to be 10, 20 or 30 years in the future. These persistent cookies (that's the official name) can be very beneficial, but they can also be used for behavior tracking. If a website has ever remembered your userid/password, you have a persistent cookie to thank for the convenience.


When it comes to the origin of a cookie, there are two categories: first party and third party.

First party cookies come from the website whose domain name is displayed in the address bar of your web browser. For example, at the web site of my home town newspaper, The New York Times, first party cookies are set by the newspaper.

But a web page is normally made up of many pieces and the pieces don't have to come from the same website. The ads, for example, rarely originate on the website you are visiting. Cookies that come from these third party advertising networks are the origin of the term "third party cookies", which refers to cookies set by websites you had no intention of visiting.

In one test I ran, the home page of the New York Times set cookies for advertising.com, atwola.com, bluestreak.com,  doubleclick.net and tacoda.net, in addition to a cookie for nytimes.com.   

Third party persistent cookies are what all the fuss is about. You won't run across this term very often though. More commonly, they're referred to as tracking cookies.

Web browsers offer control over the cookies they'll accept. More on that next time.

Updated March 17, 2009. Added mention of JavaScript. 

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon