Browser cookies are one of those technical bits of web browsing that almost everyone has some awareness of. They're also probably one of the most misunderstood aspects of browsing. Today we're here to clear up the confusion.


Photo by esti.

When it comes to browser cookies, most users have a lot of misconceptions about what they do. Here's a closer look at exactly what a browser cookie is, what it isn't, and what it's really used for.


Note: If you're serious about your online privacy, check out our guide on how to really browse without leaving a trace, where we cover much more than just cookies.

G/O Media may get a commission Subscribe and Get Your First Bag Free Promo Code AtlasCoffeeDay20

What Are Cookies Anyway?

Cookies are nothing more than tiny bits of text stored on your PC by your web browser, containing information set by web sites such as your session token, user preferences, or anything else that the web site needs to keep track of you from one request to the next. Once the web site has asked your browser to set the cookie, the next time your browser opens a new request to the server—clicking a link to a page, adding an item to your cart, or even loading an image—your browser will send that cookie back to the web site that set the cookie.


Cookies exist because the underlying HTTP protocol is stateless—each request from your browser is completely separate from the next one, so the server needs a way to keep track of what request belongs to what visitor. By storing a small bit of information in a cookie, the web site can determine that your page view belongs to your user account.

There are two "categories" of cookies: either first-party or third-party cookies. (Although there's actually no technical difference between the two.) First-party cookies are those cookies that belong to sites you actually visited in your browser, while third-party cookies, also known as tracking cookies, are generated from a Javascript include on the page—generally from third-party advertising web sites.


Myth: Cookies Spy On You and Track Everything You Are Doing

As we've already learned, the contents of cookies are set by the web site that you visited, so unless you've given your information to a web site, there's no way that cookies are going to contain personal information unless you've given that information to the site already.


Most cookies are as simple as a session token, but sometimes they contain your login credentials, usually encrypted or hashed in some format—but since cookies are only sent back to the same site that originated them, even if cookies contained personal information, it is not going to be shared with every site you visit.

Myth: Cookies Are Viruses or Spyware and Create Spam and Popups

Cookies are nothing more than text files and could not be executed even if you track down the hidden folder they are usually located in, but a surprising amount of people believe that cookies contain viruses or spyware. The reason for this, other than misconceptions fueled by clueless TV writers, is probably because most anti-spyware applications catch tracking cookies when you do a scan. Why? Cookies can be used by advertising web sites to track the sites you visit (assuming the sites are using the same advertising network—see more below), so most anti-spyware applications help you remove them.


The other myth is that cookies are responsible for spam and create pop-up advertisements. While it's true that an advertiser can use cookies to track which pop-up ads you've seen, the cookies have nothing to do with the advertisement in the first place.

Fact: Spyware and Viruses Can Read Your Cookies, but So What?

Another common misconception is that cookies are bad because if you have a virus or spyware infection, they can read your cookies to find out more information about you. This concept is not only overly paranoid, but completely illogical to boot—if your PC is already infected with a virus, you've got a lot more to worry about than a virus "reading" your cookies, since it has complete control over your computer, and your information at that point. You're better off spending your energy learning about the best ways to keep your PC secure.


Fact: Cookies Are Required for Logging Into Most Sites

The vast majority of web sites require cookies to be enabled in order to create an account and keep yourself logged in, so if you disable cookies in your browser, a large portion of the web is going to be broken. There are some exceptions, of course—you'll probably notice that many shopping web sites embed the session token into the URL, but it's not something that most sites are going to implement. These cookies are considered first-party cookies, because they are set by the web site you purposely visited.


Fact: Cookies are Used by Advertisers to Track Sites You Visit

Because cookies are always sent back to the site that originated them, an advertiser's cookie will be sent back to them from every web site you visit that is also using that same advertiser. This allows the advertiser to track the sites you visit, and send targeted advertising based on the types of sites that you visit.


This does not mean that advertisers can read the cookies from the web site you are visiting—they can only read their own cookies, but because the advertising Javascript is embedded in the page, they will know the URL you are visiting. These cookies are considered third-party cookies, because they are not set by the actual page you are visiting, and they can generally be blocked without causing any serious problems.

If this type of tracking keeps you up at night, consider that an advertiser can already track the sites you visit based a combination of your IP address, browser version, location, and any number of other factors—so getting rid of the tracking cookies only eliminates a small piece of the puzzle when it comes to tracking your behavior online. There are also only a few advertisers big enough to really track you across the majority of web sites—and one has to assume Google already knows everything else you're doing online.


Fact: Deleting or Blocking Cookies Can Cause More Annoying Ads

If you've ever visited a web site that sometimes, but not always, prevents you from reading the article until you click through an interstitial advertisement that takes over the entire page—you might wonder what logic dictates who sees the ads and when.


Here's how it works: interstitial ads pay web sites very lucrative rates to allow them to take over the entire page, but since most web site owners know that they are annoying, they are usually rate-limited so they aren't seen too often by the same person. Once you've seen the ad a single time, the advertiser sets a cookie on your PC to make certain that you don't see the same annoying ad again for a while. If you are deleting your cookies on a regular basis, you're probably also seeing a lot more of these interstitial ads than everybody else. That is, of course, if you don't have an adblocker installed.

Fact: Disabling Cookies Doesn't Matter If You Have Flash Enabled


As we've already pointed out in our guide to browsing without leaving a trace, even if you are blocking cookies in your browser, advertisers are using Flash cookies to keep track of what you're browsing online. In fact, more than half of the most popular web sites are using Flash tracking cookies—and even using your browser in private mode won't (currently) stop them from tracking you this way.


Still Want to Block Cookies? Try Blocking Third Party Cookies Only


If you are still worried about cookies for privacy reasons, you can set up your browser to only accept first-party cookies, so you'll still be able to log in to all the web sites that you visit. For Firefox, just head into the Options panel, switch to the Privacy tab, and uncheck the Accept third-party cookies box. If that causes you any problems, you can keep the option checked, but change the "Keep until" setting to remove the cookies once you close Firefox. Other browsers have similar settings; just head into the options to find them.

Do you clear your cookies religiously, or do you just use a private browsing mode? Share your thoughts in the comments.


The How-To Geek isn't paranoid enough to delete cookies regularly. His geeky articles can be found daily here on Lifehacker, How-To Geek, and Twitter.