← codephilip.com

what are cookies?

2025/08/21 — note

Every time you visit a website you get asked about cookies. Most people just click “accept all” to get rid of the banner. But what really happens when you do that?

Cookies are small text files that a website stores inside your browser. They help to identify you and to save information of your current session.

There are different kinds of cookies:

  • Session Cookies: They are only valid for your current session, when you close the browser the cookie will be deleted.
  • Persistent Cookies: Stay on your device until they expire or are manually deleted.
  • First Party Cookies: They come from the website you are currently on.
  • Third Party Cookies (often the bad ones): They are used by external services for example ad networks or tracking tools.

What are cookies mostly used for?

To stay logged in when you visit a page, usually when you check the "remember me" box. They are used to save products in your shopping cart. For personalisation like your language, design (dark or light mode) and other settings. And they (third party cookies) are also used for tracking your behaviour and showing you ads based on your browsing history.

Why third party cookies are risky

Third party cookies might be a risk for your privacy because they do not just stay on the website you visit. If you search for a product and read some reviews, those sites might include a cookie from an ad network. Later that same cookie appears again when you visit YouTube or a news page, and suddenly you see ads for the exact product you looked up.

The anatomy of a cookie

A cookie is just a small text file with key value pairs and some extra settings. It usually looks like this: 

          Set-Cookie: session_id=8f3d2a1c9b; Path=/; Secure; HttpOnly; SameSite=Lax
  • Name / Value: Here `session_id=8f3d2a1c9b`. This is just a random ID that the server uses to recognize you.
  • Path: Defines for which part of the site the cookie is valid.
  • Secure: Only sent over HTTPS.
  • HttpOnly: Cannot be read by JavaScript, only the server can use it.
  • SameSite: Controls if the cookie is sent with cross site requests.
Cookies are usually very small, max 4KB. They do not store your password or personal data directly, only references like IDs that the server connects with your account.

For normal cookies this ID just points to your account on the site you visit, for example keeping you logged in. But with third party cookies the ID is stored on the domain of an ad network. If many websites include scripts or ads from the same network, your browser sends the same ID every single time.

That means the ad network has a central database where your ID is linked to everything you did while that cookie was active. For example:

user_id websites visited behaviour logged extra data
7d92e6f4 shop.com, news.com, youtube.com searched for sneakers, scrolled fast, clicked ads IP: Berlin, Windows 11, Chrome

The cookie itself only stores the ID, but on the server side that ID is connected to all your actions, your device info, your IP and even your fingerprint. Over time this becomes a very detailed profile about you.

That is why third party cookies are so nasty. They are not dangerous because of what they store in your browser, but because they allow external companies to collect everything you do across the internet under one single ID.

And since third party cookies are usually integrated in websites together with JavaScript trackers they can do more than just store a small ID. The scripts around them collect details about your behaviour like what you search for, how you scroll, where you move your mouse or what you click on. They also log your IP which can reveal your location and your unique browser fingerprint. This way they can track you even without knowing your name or login credentials.

Real world examples of this are Google Analytics (cookies like "_ga" or "_gid") or the Facebook Pixel (cookies like "_fbp" or "fr"). That is why you often see ads on Instagram or YouTube for something you just looked up on a completely different site.

Even if you delete Cookies, they can still track you

Cookie Syncing

is a technique where multiple ad networks work together and to sync their data they have on you. For example: Ad Network A might know you under the ID user123 and Ad Network B might know you under the ID xyz123. Because of the data they store they can easily identify you and merge their data they have of you so they have a more complete profile of your identity.

Zombie Cookies

also known as "respawn cookies" are cookies that are automatically recreated after you manually deleted them. Back when Adobes Flash Player was still around (support officially ended in 2021, so this is no longer an issue) they used to store cookie data in LSO which is the "Flash Local Shared Objects", so when you deleted the cookie manually they would recreate the cookie from the LSO when you revisted the site.

Today they use HTML5 Storage so the LocalStorage or IndexedDB, both are a local database in your browser. Websites often save cookies and duplicate them in LocalStorage or IndexedDB. So even if you delete one, it comes back.

Fingerprinting

And then we also have fingerprinting. You delete your cookies manually, delete the LocalStorage and also IndexedDB but there is still fingerprinting which might be the most annoying thing. Its a unique identifier which every browser or website can track. It tracks your browser, operating system, installed fonts, language pack, device even your window size which all together create a really unique fingerprint of your device. So when you delete the cookie, they just check your fingerprint and check if there is an entry that matches it in their database and they just set the cookie again.

Read more about fingerprinting in my article:
browser fingerprinting privacy concern

Checkout my Website:
prismprivacy.com to check what your browser reveals about you and what every website can see.

Dark patterns and cookie banners

Luckily we have the GDPR in Europe which makes sure you first have to consent to third party cookies. But most website owners use "dark patterns". That means they make it not very user friendly to decline cookies. They might have a big button for "accept all cookies" but only a small one for "manage cookies". And there you usually have to check off hundreds of ad networks or other tracking services before you can save your preference, which is really annoying. Making it harder to just click a simple "decline cookies" button is called a dark pattern.

How can you defend yourself from getting tracked?

Regularly delete your cookies in your browser. Use privacy focused browsers like Firefox or Brave. Always decline third party cookies, yes even if it is annoying. To be honest, I sometimes just use a different website if they use dark patterns because I cant be bothered.

Takeaway

Cookies are convenient for your everyday life but convenience does not always mean good. You might trade your privacy for comfort, get tracked and then bombarded by ads.

Buy Me a Coffee at ko-fi.com