Cookies and browser data

Websites and browsers

No doubt you have had to accept cookies more than once when visiting a website. What are cookies and why are they so important to the operation of Web sites? To find out, you need to gain some understanding of how HTTP and the World Wide Web work.

Unlike a phone call, the connection between your computer and the Web server on which a site is published does not remain "open." When you access a web page through your browser (Google Chrome, Apple Safari, Mozilla Firefox, Microsoft Edge...) the server sends a copy of all the files belonging to that one web page to your browser. So when you visit a Web site, you are not really "online." You are requesting a page and getting a copy of that page sent to you. An exception are streaming media such as film and audio. You only get those forwarded in "pieces" to avoid copying a perfect copy of the movie or audio onto your computer system.

When you request a Web page in your browser, your browser sends your request to the Web server. A lot of Web servers first retrieve the requested information from a database and send you the result converted into a Web page back to your browser as a "response."

When you request a Web page in your browser, your browser sends your request to the Web server. A lot of Web servers first retrieve the requested information from a database and send you the result converted into a Web page back to your browser as a "response."
Learn more about Web pages and how Web pages work in the Building a Web Site with HTML course. About how databases and the CRUD transactions shown in the image work, you will learn in the Database course

Without cookies, the web would be a soulless affair

Thus, the server does not know who requested the information because the connection is broken each time. This also prevents a server from remembering who entered a username or password on a previous page or added a product to a shopping cart. After all: the "visitor" is not really "present" on the website; The visitor is only a "browser" (a user agent) that asks for certain information (=a request) and receives an answer (=response).

To solve this "problem," COOKIES have been devised. Cookies are small text files that can store certain pieces of information about the visitor in the browser (i.e., on the "visitor's" computer. A cookie can also be stored on the server itself.

Imagine it like this: a browser cookie is a kind of unique key sent to you as a visitor. The browser stores that key for a certain amount of time. The server (the central computer where the site is published) stores the lock associated with that unique key. When the same visitor sends another "request," the browser and server can also exchange the key and check if that key fits a matching lock.

Without cookies, using passwords and usernames or remembering products in a shopping cart would be impossible. It would be impossible to use social media websites, webmail, online banking or shopping...without them. In short: the Web would be a somewhat soulless affair.

Different types of cookies

Caution: cookies do not collect "data," they store data!

Cookies help websites get to know the user so that the websites can personalize the user experience. For example, e-commerce Web sites use cookies to know what merchandise users have placed in their shopping cart. In addition, some cookies are necessary for security purposes, such as authentication cookies.

A session cookiehelps a website track a user's session. Session cookies are deleted after a user's session ends - as soon as they log out of their account on a website or leave the website. Session cookies have no expiration date, which means for the browser to delete them once the session has ended.

Unlike session cookies, persistent cookiesremain in a user's browser for a predetermined amount of time, such as a day, a week, several months or even years. Persistent cookies always contain an expiration date.

Authentication cookieshelp manage user sessions; they are generated when a user logs into an account through their browser. They ensure that sensitive information is delivered to the correct user sessions by associating user account information with an identification string from a cookie.

Tracking cookiesare generated by tracking services. They record user activity and browsers send this record to the corresponding tracking service the next time they load a website that uses that tracking service.

Like the "zombies" in popular fiction, zombie cookiesregenerate after they are deleted. Zombie cookies create backup versions of themselves outside a browser's typical cookie storage location. They use these backups to reappear in a browser after they are deleted. Zombie cookies are sometimes used by unscrupulous ad networks and even cyber attackers.

A third-party cookieis a cookie that belongs to a domain other than the domain displayed in the browser. Third-party cookies are usually used for tracking purposes. They contrast with first-party cookies, which belong to the same domain displayed in the user's browser.

Other techniques for storing (not collecting!) data in the browser

Besides cookies, there are two other techniques for storing user data in the browser: local storage and session storage. Cookies are the oldest technique. Local storage and session storage are newer techniques developed to overcome shortcomings of cookies.

All three are browser-independent. That means that if certain data is stored in one browser, it will not be stored in another browser on the same machine. For example, data stored in Google Chrome will not be stored in Firefox on the same computer.

Also, different users do not share cookies or local storage among themselves. So if certain data is set for one user, none of the other users will be able to see it.

The differences between cookies, local storage and session storage. Source:  https://javascript.plainenglish.io/3-ways-to-store-data-in-the-browser-db11c412104b

Cookies are basically text-based data with a name-value pair. Cookies can only store 4 KB of data, which is much less than local storage and session storage.

Depending on the browser, local storagehas a capacity of 5-10 MB. Local storage only stores data in the browser and never expires unless manually deleted. Local storage is accessible from any window. This means that if a user closes the browser, local storage is saved the next time the user opens it again.

With session storage, the retained data is deleted after the session when the user closes the browser. Session storage has a capacity of 5 MB.

Privacy and legislation

Some privacy laws, such as the EU's ePrivacy Directive, address and regulate the use of cookies. Under this directive, users must give "informed consent" - they must be informed about how the website uses cookies and agree to that use - before the website can use cookies. (The exception is cookies that are "strictly necessary" for the functioning of the website). The EU's General Data Protection Regulation (GDPR) considers cookie identification data to be personal data, so its rules also apply to the use of cookies in the EU. Moreover, all personal data collected by cookies fall under the jurisdiction of the GDPR. Largely because of these laws, many websites now display cookie banners that allow users to view and control the cookies used by those websites.

Getting information about the (computer) system or device

Even without cookies or data storage, your browser can retrieve or collect a lot of information. For example, you can use javascript code from a Web page to check what computer system the computer is using or what language the system is set in. This allows, for example, a website to be immediately displayed in the correct language if multiple language versions are available. You can also similarly read the width and height, color settings and rotation of the screen.This is also useful for a Web developer, because it allows a Web site to adapt to the visitor's screen.

If cookies serve to identify the user or user information, then with system information you can identify mainly the system or browser.

Browser fingerprinting

However, it is also possible to use the system information to identify the visitor himself. Here we are not talking about the visitor's "name" or "address," but rather the "device." It may be of interest to a Web site to find out if that particular device has sent a query to the Web site on the Web server before.

Because every device does have specific settings (e.g., resolution, browser version, language setting, colors or fonts....), a Web developer can use javascript to retrieve any system information he can acquire information about and look for just those little points of difference. By checking that information each time you visit a Web page on a specific site, you can detect a kind of "unique fingerprint" of the device.

In the films below, I explain what you can find out that way.

A browser is a sandbox

Sometimes, as a user yourself, you benefit from a Web page knowing your location. Consider, for example, websites that allow you to search for restaurants. 

A browser forms a kind of secure sandbox on your device. The browser not only takes care of converting the "response" from the server into a nice display on your computer screen. It reads the received HTML, CSS and JavaScript code (those are the three fundamental languages that make up Web pages) and puzzles it together with the received media (pictures, sound, movie....) back together neatly as the Web developer intended.

However, the browser also controls the behavior of the Web page itself. A Web page cannot do anything on your device. For example, with the HTML/CSS/JS languages mentioned, a Web developer cannot access the user's hard drive. However, it can write data into "cookies," which are small text files stored in a secure folder. It is also possible to store data in a kind of "small database" in the browser itself. But a Web page will not access your documents unless you choose to upload or post a file yourself via an "upload button."

The web page asks permission through the browser to use your microphone.

Nor can a Web page launch your camera or microphone or access your location information without your knowledge. If a Web site wants to request that information, the browser will make sure the user approves it first.

Natuurlijk is het mogelijk dat je via een website een virus downloadt, maar dan is dat niet een beveilgingsfout van je browser, maar eerder een geval van "misleiding" waarbij de website de bezoeker bijvoorbeeld "wijsmaakt" dat er iets mis is met zijn systeem. Een website kan echter niet uit zichzelf automatisch een bestand op je toestel downloaden en installeren of uitvoeren. Moest dit wel het geval zijn, dan zou geen enkel computersysteem langer dan een paar dagen "actief" zijn. 

A browser is not a free service...

Most browsers are free to install. However, this does not mean that the manufacturer does this out of humanity or can pass for a modern Robin Hood. Most browsers are developed by a large company that has other interests in having you, the Internet user, install their browser.

  • Chrome: Google
  • Safari: Apple
  • Edge: Microsoft
  • ...
Many Chrome users also have a Gmail/Google account. Often that account is active in the background in your browser. In this way, Google can perfectly see which pages you visit, because you surf in "their" browser in which your Google account is also active. Moreover, in Chrome, Google is set as the default search engine.
Next page