Cookies became the Bogeyman of the 21st century for websites and their visitors. What is so threatening about these small pieces of data and should we really fear them? After reading this article you will be equipped with actionable knowledge about cookies that will allow you to sleep peacefully at night.
What is a cookie?
“A cookie is a small, flat, sweet, baked good, usually containing flour, eggs, sugar…” [Wikipedia]
These are the sweet cookies we love. Today we’re going to talk about tough web cookies and how to deal with them. According to Wikipedia a cookie is a small piece of data from a website that is stored in the user’s web browser while the user is browsing it. Every time a user loads the website, the browser sends the cookie back to the server to notify user’s previous activity.
In other words, a cookie is designed to collect data about the users. Websites use this information for different purposes. Most often it is used for analytics, advertising, localization, or improving site’s performance.
Types of cookies and how to use them
Also known as in-memory or transient cookies. They are temporary and are erased when you close the browser. The next time you visit the website the browser will not recognize you and will treat you as a new visitor. What makes them different than other cookies is that they do not have an expiration date assigned to them. This is how the browser knows they are session cookies.
How they are used: Websites use session cookies to make sure the user is recognized when moving from one page to another. E-commerce sites use session cookies to remember what you placed in your shopping cart. Otherwise, the items placed in a shopping cart would disappear by the time you reach checkout. [AllAboutCookies.org]
Sometimes called tracking cookies, remain until you erase them or they expire. Unlike session cookies, permanent cookies will stay on your browser as long as its creators programmed them for, which means its information will be transmitted to the server every time the user visits the website, or every time a user views a resource e.g. advertisement belonging to that website.
How they are used: Persistent cookies help you improve your website’s user experience and provide personalized content. For example, users don’t not have to log in again. It can also remember the language your users chose to view your website and serve the content in the same language in their future visits. They can also be used by advertisers, as they can collect data about the user’s browsing habits over an extended period of time.
These can only be transmitted over an encrypted connection (i.e. HTTPS). This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
How they are used: They allow web-based applications to store information about selected items, user preferences, registration information, and other that can be retrieved later. Secure cookies can only be transmitted via a safe protocol e.g. HTTPS.
How they are used: HttpOnly limits the access of the cookie to the HTTP protocole only. Use of secure cookies and HttpOnly flag limits the potential damage many cross-site script attacks can cause – specifically, attacks that target cookie data.
Put simply, cookies that belong to the domain other than the one that is shown in the web browser’s address bar i.e. the website that is placing the cookie. For example, if you visit getresponse.com and the domain of the cookie placed on your computer is getresponse.com, then this is the first-party cookie. However, if you visit getresponse.com and the domain of the cookie is basicanalytics.com, then this is a third-party cookie. Most browsers e.g. Google Chrome, Mozilla Firefox, Safari, IE contain settings allowing users to block third-party cookies.
How they are used: Third-party cookies are usually used for analytics and advertisement. By placing the cookie on a website advertising companies can track users throughout the web and serve ads based on user’s browsing behavior.
Cookies with an origin of a top-level domain e.g. .com, or a Public Suffix e.g. .co.uk. Ordinary cookies, on the other hand, have an origin of a specific domain name. Supercookies are often blocked by web browsers, as they can be a potential security concern.
How they are used: Originally, supercookies were flash cookies. With the development of technology it’s possible to track users via other techniques e.g. HTML5 session storage. They are used mainly by advertisers.
Automatically recreated after being deleted. This is possible with a help of a client-side script. The script starts by storing the cookie’s content in multiple locations, such as Flash local storage, HTML5 storage, and other client-side storage locations. When the script detects the cookie’s absence, it recreates the cookie using the data stored in these locations.
What cookies do I use on my website?
If you’re not sure what cookies are currently used on your website, you can easily check it with free browser extentions such as: Cookie Inspector (Chrome), Cookies Manager+ (Mozilla), or Safari Cookies (Safari).
Why do I need to add cookies notification on website?
According to EU cookie legislation (considered among the strictest) a website owner must obtain prior informed consent to access or store information on the user’s computer, phone, tablet, or other device.
To comply with cookie laws, you are usually required to:
- Determine what kind of cookies the website will set and how you will use them.
- Inform visitors that you set cookies, why you set them, and what they do, and then obtain their consent for such use.
Location and content of my cookies notification
Below is a sample cookies notification message that might be appropriate for your website if you are using tools such as Google Analytics. This example is taken from one of the landing pages created with GetResponse Landing Pages, which allows you to use the built in, easy to customize cookies notification module that you can add to your landing page with a single click. For more information about cookies notification, read this article.
Remember that you’ll need to adjust this message to match your specific uses of cookies and other information.
Example of cookies notification message:
Do EU websites comply with the cookie law?
From 15-19 September 2014, the Article 29 Working Party in partnership with national regulators with responsibility for enforcing Article 5(3) of the ePrivacy Directive 2002/58/EC conducted an audit, also called EU Cookie Sweep, of up to 478 websites in the e-commerce, media and public sectors across 8 member states.
Here are some of the most interesting Sweep’s findings:
- 70% of the 16555 cookies recorded were third-party cookies,
- Over 50% of the third-party cookies were set by just 25 third-party domains,
- The expiration dates for cookies are often exaggerated. The audit found some that will not expire until December 31, 9999, which is almost 8,000 years from now!
As of May 26th 2012 the UK and other European countries are beginning to enforce laws regarding cookies. According to Polish Law, the fine for not being compliant with the cookie law can reach up to 3% of the penalized party’s revenue, gained in the preceding calendar year.
Have any questions or thoughts on the web cookies? Share in the comments below!