Security for Beginners
by Sergey Okinchuk
What HTTPS Does and Doesn't ProtectChapter 6: Malware
Topic 24

Cookies, Sessions, and Tracking

Concept

You have almost certainly clicked a banner that says "This site uses cookies." It sounds technical and slightly ominous, but the thing behind it is small and simple. A cookie is a little note a website asks your browser to hold on to, and then show back the next time you visit.

Here is the catch that makes cookies both essential and controversial: the exact same mechanism that keeps Olivia logged in to her email also lets companies follow her from site to site. One tool, two faces. This page separates the necessary face from the worrying one.

The same mechanism, two very different jobs
Session cookie
Set by the site you are on. Holds proof that you are logged in, so you don't re-enter your password on every click. Necessary.
Tracking cookie
Often set by a third party shared across many sites. Records where you go, building a profile for advertising. A privacy concern.

What Is a Cookie?

The web has a quirk: a website forgets you the instant a page finishes loading. Each click is treated as a fresh request from a stranger. So if a site wants to remember anything about you between one click and the next, it needs to hand you something to carry.

That something is a cookie — a small piece of data the site stores in your browser and receives back on each visit. The site says "hold this," your browser tucks it away, and every time you go back, the browser shows it again. That is the whole mechanism.

A cookie is just stored text. It cannot think, run, or act on its own. It is closer to a sticky note than to a program — and that distinction matters, as we'll see in a moment.

The Necessary Use: Sessions

Back in Chapter 2 we met the idea of a login token — the wristband a site gives you after you prove who you are, so you don't have to re-enter your password on every page. That token has to live somewhere in your browser, and the usual place it lives is a cookie.

A cookie used this way is called a session cookie: it holds the proof that you are currently logged in. When Olivia signs in to her email and then clicks through twenty messages without typing her password again, a session cookie is doing that work quietly in the background.

Think of it like a coat-check ticket. You hand over your coat, you get a small ticket, and you show that ticket to reclaim your own coat later. The session cookie is that ticket: it lets the site recognize you as the person who already logged in. Without it, you'd be sent back to the login screen on every single click.

The Tracking Use

Now the other face. Because a cookie is just a note that gets shown back, it can also be used to remember not who you are but where you've been.

The key idea is the third-party cookie — a cookie set not by the site you're looking at, but by another company whose content is embedded in that site, like an ad or a "share" button. The same company's content sits on thousands of sites. So its cookie gets shown back on each one, and it can stitch together a picture of the pages you visit across the whole web.

That picture is a profile, usually built to target advertising. Going back to the coat-check ticket: it's handy for reclaiming your own coat, but imagine the same ticket system quietly noted every shop, café, and building you entered all day. That is the tracking use — the same ticket, turned into a log of your movements.

Security or Privacy?

Cookies sit on the line between two worries that are related but not the same, so it's worth naming which is which.

A stolen session cookie is a security problem. If an attacker copies the cookie that proves Olivia is logged in, they can show that same proof and the site will treat them as Olivia — no password needed. Someone is acting as you.

A tracking cookie is mainly a privacy problem. Nobody is logging in as you; instead, your behavior is being watched and recorded across sites. The harm is being profiled, not being impersonated. Both are real, and keeping them apart will make later topics about identity and privacy much clearer.

Two different cookie risks
Stolen session cookie
A security problem. Someone copies the proof that you are logged in and acts as you, with no password needed.
Tracking cookie
A privacy problem. Your browsing behavior is recorded across sites and used to build a profile for advertising.
Common Confusions
  • "Cookies are a kind of virus." A cookie is passive stored data, not a program. It can't run, act on its own, or infect anything — it only sits there until the site asks for it back.
  • "All cookies are tracking me." Many cookies are essential session cookies that simply keep you logged in. Tracking is a specific use, often done by third-party cookies, not what every cookie does.
  • "Deleting cookies makes me anonymous." Clearing cookies removes those stored notes and logs you out, but it isn't full anonymity. Sites have other ways to recognize returning visitors.
  • "A stolen cookie and a tracking cookie are the same danger." A stolen session cookie is a security problem — someone logs in as you. A tracking cookie is a privacy problem — your browsing is profiled. Related, but distinct.
Why It Matters
  • Those "accept cookies" banners stop being mysterious once you know a cookie is just a small note a site stores in your browser and reads back later.
  • The same mechanism does a necessary job (keeping you logged in) and a controversial one (following you across sites), so "cookie" isn't automatically good or bad.
  • Separating a stolen-cookie security risk from a tracking privacy concern gives you two distinct worries to reason about, instead of one vague fear.

Knowledge Check

What is a cookie, at its core?

  • A small piece of data a site stores in your browser and reads back later
  • A program that runs on your computer and continuously scans your files for viruses and malware
  • The encryption that protects a website connection
  • Your account password, saved by the website

What job does a session cookie do?

  • It keeps you logged in so you don't re-enter your password on every click
  • It records every other website you visit during the day
  • It encrypts the data traveling between you and the site
  • It scans each page that loads and blocks malware or suspicious scripts before they can reach your browser

Why is it wrong to call a cookie "a kind of virus"?

  • A cookie is passive stored data, not a program that can run or spread
  • A cookie is similar to a virus but works more slowly and causes less immediate damage to your system
  • A cookie actually protects your computer from viruses
  • There's no real difference; the two words mean the same thing

An attacker copies the cookie that proves Olivia is logged in and uses it to act as her. Is this mainly a security or a privacy problem?

  • A security problem, because someone can log in as her
  • A privacy problem, because her browsing is being recorded
  • Neither, because a stolen cookie can't do any harm
  • Both equally, since security and privacy are the same thing

You got correct