How Exactly Does a Cookie Work?

You’ve probably seen a ton of websites lately showing you popups about how they use your cookies, and your data. But what exactly is a cookie? And how does it work?

Cookies are a very clever concept, really. At the most basic level, you can think of cookies like pieces of information that are created by a website and stored by your browser, on your behalf.

For example, if you visit medium.com, Medium could choose to store some arbitrary information on your browser that it would like to receive the next time you visit their site. Technically, this can just be any text, really. There are no limitations on what can go inside a cookie. The key thing to remember, though, is that this data is sent to the website with every request you make.

Let’s start with one of the simplest, but most common use cases for a cookie — authentication. Chances are that you log in to at least half a dozen websites every day. Or you visit websites where you’ve already signed in once, and the browser just seems to “remember” that you’re logged in. It would probably be annoying if you’d had to enter your credentials every time you visit the website and certainly very annoying if you had to do so every time you navigated to a new page.

When you visit the website for the very first time, you’re likely prompted for your credentials. You happily enter your username and password. Your browser then sends your credentials to a server, which in turn verifies whether or not they’re valid. If they are, congratulations. You can now access your account. But in addition, the server also sends back an additional piece of data. This piece of data is unique to you and is what the website uses to identify you for all future requests.

Think of this as checking into a hotel. The first time you check into the hotel, you’re asked to provide some form of ID. This is so that the hotel can verify that you’re, in fact, you. But once your identity is verified, you’re given your key tag. You can use this key tag to enter your room, move around in the hotel or order room service. Your identity doesn’t need to be verified since you already have the key tag. It would be a shame if you had to whip out your driver’s license every time you wanted to access the laundry.

Of course, authentication is not the only reason websites use cookies. Another common reason to use them is to store your preferences.

When you visit a website that offers content in multiple languages, you select your preferred language. The website could decide to store your preference in a cookie so that the next time you visit the page, it already knows what your preferred language is.

This is why clearing cookies on your browser can sometimes cause websites to “reset”. Since they’re designed to not store any long term data anyway, clearing them doesn’t usually cause any lasting harm. Cookies are also only accessible to the website that set them. Medium can’t access the cookies set by LinkedIn, and vice versa. This security is guaranteed by your browser. This stops websites from snooping around for your data and accessing your cookies on other websites.

Because of their simplicity, cookies also play an important role in advertising. Just as cookies can be used to identify your preferences and authentication sessions, they can also be used to identify your browsing activities. And although websites can’t technically access others’ cookies, there are some workarounds that can be used instead.

The one downside to cookies is that they get sent to the web server with every request you make, whether or not the server actually needs them. This is great in some circumstances, but other times it might actually just bloat web requests unnecessarily.

Modern browsers offer something called a “local storage” which allows websites to store information directly on your computer instead and access it locally whenever needed. Websites today usually some combination of both local storage and cookies to create the experiences you see!

Regardless, cookies are a simple but powerful building block of how the internet works today. Next time you see a website with an updated cookie policy, you know what you’re signing up for.