A cookie is a small text file that a web server sends to your browser when you load a page. Your browser stores it locally and attaches it to every subsequent request back to the same server. That exchange - server sends a Set-Cookie header, browser returns the cookie in a Cookie header - is the entire mechanism. No executable code, no hidden payload, just a short string of data travelling back and forth over HTTP.
The concept dates back to 1994, when Netscape engineer Lou Montulli adapted an older computing idea called a "magic cookie" to solve a practical problem: HTTP is stateless. Without cookies, every page request looks identical to the server. It cannot tell whether you just logged in, which items sit in your cart, or whether you prefer English or German.
How Cookies Work Under the Hood
When you visit a website for the first time, the server's HTTP response includes one or more Set-Cookie headers. Each header contains a name-value pair and a set of attributes: Domain, Path, Expires or Max-Age, Secure, HttpOnly, and SameSite.
Your browser saves the cookie to a local store. Chrome keeps all cookies in a single SQLite database you can inspect through DevTools. On every future request to the same domain, the browser checks which cookies match the domain, path, and security flags - then sends the matching ones in the request header. The server reads them, recognises who you are, and responds accordingly.
A session cookie has no Expires attribute, so the browser deletes it when you close the tab or window. A persistent cookie carries an explicit expiry date and survives browser restarts until that date passes or you manually clear it.
Why Websites Rely on Cookies
Cookies solve three broad problems that every website faces.
Authentication and sessions. When you log in, the server creates a session and sends a session ID as a cookie (often called PHPSESSID or JSESSIONID). Without that cookie, you would need to re-enter your password on every single page.
Personalisation. Language selectors, dark-mode toggles, currency preferences - all stored in functional cookies. They make the site feel like it remembers you.
Measurement and advertising. Analytics cookies such as _ga and _gid track page views, bounce rates, and traffic sources. Marketing cookies like Meta's _fbp or Google's _gcl_au follow you across sites to build an advertising profile. This is where most of the privacy debate centres.
The Main Types of Cookies
Cookies can be classified along two axes: who sets them and how long they last. The table below maps the most common types of internet cookies.
| Classification | Type | Example | Typical purpose |
|---|---|---|---|
| By origin | First-party | _ga set by your domain | Analytics, preferences, sessions |
| By origin | Third-party | _fbp set by facebook.com | Cross-site tracking, retargeting |
| By lifespan | Session | PHPSESSID | Login state during a single visit |
| By lifespan | Persistent | pll_language | Remembers language across visits |
| By purpose | Strictly necessary | __stripe_mid | Payment processing, authentication |
| By purpose | Functional | wp-settings-1 | User interface preferences |
| By purpose | Analytics | _gid | Counts visitors, measures engagement |
| By purpose | Marketing | _gcl_au | Ad conversion tracking, retargeting |
A typical e-commerce store might use five to ten first-party cookies for sessions and preferences, plus another ten to thirty third-party cookies from embedded analytics, advertising, and social media widgets.
First-Party vs Third-Party Cookies
The distinction matters because it determines both the privacy impact and the legal treatment. A first-party cookie is set by the domain in your address bar and can only be read by that domain. A third-party cookie is set by a different domain - an ad server, a social plugin, an embedded video player - and can track your activity across every site that loads resources from that domain.
Third-party cookies make it possible for an ad for running shoes to follow you from a sports blog to a news site to a recipe page. That cross-site tracking ability is why browsers have been restricting them. Safari blocks all third-party cookies by default through Intelligent Tracking Prevention (ITP). Firefox isolates them using Total Cookie Protection, giving each top-level site its own separate "cookie jar." Chrome reversed its plan to deprecate third-party cookies in July 2024 and, as of April 2025, confirmed it will not introduce a user-choice prompt either - they remain enabled by default.
How Browsers Handle Cookies Differently
Not all browsers treat cookies the same way, and the differences have real consequences for website owners running analytics or advertising.
Safari is the most aggressive. ITP blocks all third-party cookies outright and caps cookie lifetimes for JavaScript-set first-party cookies at seven days. If Safari detects that a server-set cookie comes from an IP address that does not match the site's own infrastructure, it caps that cookie at seven days too. If a user does not return within 30 days, Safari purges all stored data for the domain.
Firefox uses Enhanced Tracking Protection (ETP) to block cookies from known tracking domains in its default "Standard" mode. "Strict" mode blocks all third-party cookies. Total Cookie Protection partitions any remaining third-party cookies so they cannot be shared across sites.
Chrome still permits third-party cookies by default. Google had planned to phase them out starting in 2020, but after repeated delays and opposition from advertisers and the UK Competition and Markets Authority, the company abandoned the plan. Chrome's Privacy Sandbox APIs remain in development as alternative tracking methods, but adoption has been slow.
What the Law Says About Cookies
The legal framework for cookies in the EU rests on the ePrivacy Directive (2002/58/EC) and the GDPR. Article 5(3) of the ePrivacy Directive requires informed consent before any information is stored on or read from a user's device - unless the cookie is strictly necessary for a service the user explicitly requested. The GDPR defines valid consent: freely given, specific, informed, and unambiguous, through a clear affirmative action.
A cookie banner must appear before non-essential cookies fire. It must explain what each cookie category does and offer a genuine choice. Pre-ticked boxes do not count. The French CNIL fined Google EUR 325 million in September 2025 for placing advertising cookies during account creation without valid consent and using dark-pattern designs that steered users toward acceptance. The same month, CNIL fined SHEIN EUR 150 million for dropping cookies before consent was given.
Outside Europe, rules differ. The CCPA/CPRA in California follows an opt-out model: businesses can set cookies by default but must honour "Do Not Sell or Share" requests. Brazil's LGPD requires consent for non-essential cookies, though it recognises legitimate interest in certain situations. Canada's PIPEDA requires meaningful consent for the collection of personal information, including data gathered through cookies.
Cookie Attributes That Affect Security
Every cookie carries flags that control how browsers handle it. The Secure flag ensures the cookie is only sent over HTTPS. HttpOnly prevents JavaScript from reading the cookie, protecting session tokens from cross-site scripting attacks. The SameSite attribute controls cross-origin behaviour: Strict blocks the cookie entirely on cross-origin requests, Lax (Chrome's default) allows it on top-level navigations, and None permits it in all contexts but requires the Secure flag.
A well-configured session cookie looks like this:
Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Max-Age=86400
How to Check Which Cookies a Website Sets
Open Chrome DevTools (F12), navigate to the Application tab, and expand the Cookies section. You will see every cookie listed by domain with its name, value, expiry, size, and flags. Firefox has an equivalent panel under Storage Inspector.
For a broader audit, a cookie scanner crawls your entire site and catalogues every cookie, including those set by embedded third-party scripts. This is the recommended starting point if you are building a cookie policy or configuring a consent management platform.
Frequently Asked Questions
Are cookies dangerous or harmful to my computer?
Cookies are plain text files, not programs. They cannot install malware, access your hard drive, or run code. The privacy risk comes from how third parties use cookie data to build profiles of your browsing behaviour - not from the files themselves.
What happens if I block all cookies in my browser?
Blocking every cookie will break most login systems, empty your shopping cart on each page load, and reset your language or theme preferences every visit. A more practical approach is to block third-party cookies while allowing first-party ones.
Do all cookies require consent under the GDPR?
No. Strictly necessary cookies - those required for a service the user explicitly requested, such as session cookies for a login or a shopping cart - are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive. All other cookies, including analytics and marketing cookies, need informed, prior consent.
How long do cookies stay on my device?
Session cookies are deleted the moment you close your browser. Persistent cookies last until their set expiry date, which can range from minutes to years. Safari's Intelligent Tracking Prevention caps JavaScript-set cookies at seven days, regardless of the expiry value the site intended.
What is the difference between first-party and third-party cookies?
A first-party cookie is set by the domain you are visiting. A third-party cookie is set by a different domain, typically an ad network or analytics provider embedded on the page. Safari and Firefox block third-party cookies by default; Chrome still allows them as of 2026.
Can I see which cookies a website has set in my browser?
Yes. In Chrome, open DevTools (F12), go to the Application tab, and click Cookies in the left panel. Firefox and Safari have similar panels. You will see each cookie's name, value, domain, expiry, and flags such as Secure and HttpOnly.
Take Control of Your Cookie Compliance
If you run a website and are not sure which cookies it sets - or whether they fire before consent - start with a free scan. Kukie.io detects first-party and third-party cookies, categorises them automatically, and helps you build a compliant consent banner that blocks non-essential tracking until visitors make a choice.
