The Most Common Types Of Web Cookies

A few months ago we wrote a blog piece about the future of cookie based remarketing.  And we have been surprised by the response!  We have received numerous questions from clients and non-clients alike and most of these specifically relate to the types of cookies which websites collect.  So we thought we would write a quick overview of the most common types of website cookies.

Understanding what cookies you are collecting has become a vital part of website ownership and online marketing generally.  This is especially true after the EU passed The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR).  These affect how you as a website owner may use cookies and track visitors to your website from people residing within the EU.  The new rules came into force on 25 May 2018.

The key point to understand first is that cookies are not all equal!  They come in many shapes and sizes just like the edible ones that we see at our local supermarket.  And just like the cookies on sale in shops, some website cookies are worse for you than others.

As of 1 September 2019, there are over 11 million different types of cookies listed on Cookiepedia.  Whilst some are safe and do not post any threat, others can be quite intrusive and even dangerous.  So here is Onvigil’s guide to the most common types of website cookie found online.

Session Cookies

The clue is in the name!  Session cookies have a lifespan which is only as long as each website session.  Over a quarter (28%) of all the cookies listed on the Cookiepedia database are session cookies.

They perform simple tasks like remembering the items you have looked at online or the items that you have place in your online shopping basket.  Session cookies make our lives so much easier – imagine trying to remember all the items you want to buy at IKEA in one large transaction.  Session cookies help you remember which items you want to buy – they are like a website’s short term memory.  They do not collect any personal information and when you close down your browser the cookie is deleted automatically.

First-Party Cookies

First party cookies have many pseudonyms.  They are also commonly referred to as persistent cookies and stored cookies but these names are somewhat misleading because first-party cookies and third-party cookies are also classed as persistent cookies.  At the time of writing, 37% of the cookies listed on the Cookiepedia database are classed as 1st party cookies.

If session cookies provide a website’s short-term memory, first party cookies provide the long-term memory.  They help websites to remember information and your preferred settings when you visit the site again at a later date.

First party cookies have a much longer life span than session cookies and most will expire after one or two years, hence the moniker ‘persistent cookies’.  If you do not visit the website again within that time-frame your browser will automatically delete the cookie and all your preference information will be lost.

The main advantage of first party cookies is that they play a helpful role in user authentication.  Without first party cookies you would have to login every time you opened a new page on most web driven services.

Whilst first party cookies do a good job in improving the user experience, companies can use them to track your browsing habits over time.  And when you think that some cookies will live for two years, these cookies can be used to capture more information than you would imagine!

Third-Party Cookies

Third party (3rd Party) cookies are generally regarded as dangerous and they are the reason why such a fuss has been made over cookie misuse. They are called third party cookies because they do not relate to the website which uploads them in any way and they are specifically designed to track your online behaviour.  They can collect powerful amounts of data too including demographic information, browsing habits and also your spending ability.

On the Cookiepedia database, 62% of the 11+ million cookies that are listed are classed as 3rd party cookies.  Third party cookies have been used for both legitimate and also for more spurious purposes.  The major advertising networks are major advocates of third-party cookies as it enables them to significantly drive up their page-views and therefore sales revenues from advertisers.

Most remarketing and retargeting campaigns use some form of third-party cookie for behavioural advertising.  By adding tags to a page, advertisers can track a user or their device across different websites.  This helps build a profile of each user based on their interests so that adverts can be better tailored to their needs.

Webview Cookies

Many people also use mobile device ‘apps’ to shop or to browse content online.  However, when looking at mobile apps, the goal posts regarding cookies move again!  A mobile app uses technology called ‘webview’ to display online content.  Cookies are stored within a webview in a similar way to how they are stored in a browser environment.  However, there is one major difference.  Although Webview is similar to mobile browsers in that it is ‘unique per application’, it cannot share cookie information between apps or the device’s web browser(s).

Secure Cookies

As their name suggests, secure cookies can only be transmitted over encrypted connections such as https: (look for the padlock icon in your browser).  Non-secure cookies are transmitted in clear text and the contents can be intercepted by unauthorized third parties. Consequently, sensitive cookie data can sometimes be hijacked for unauthorised use.

A secure cookie will only transmit data when a secure connection is active.  However, even with a secure connection, developers should not use a cookie to store sensitive information because the HTTPS only protects a cookie’s confidentiality.  A network attacker could overwrite secure cookies from an insecure connection.  This is especially true if a site has both an HTTP and HTTPS version.

HTTP Cookies

Secure cookies are often also HTTP-only cookies.  The two work in unison in order to reduce vulnerability to a cross-site scripting (XSS) attack.  An XSS attack is where a hacker injects malicious code into a trusted website.  The significant point here is that a browser cannot tell that part of the script should not be trusted.  Therefore, the script can access the browser’s data about the infected site, including cookies.  A secure cookie cannot be accessed by scripting languages (like JavaScript), thus protecting it against these sort of attacks.

Super Cookies

Supercookies can have superhero type power!  Whilst they can do many useful and helpful things they can also do a lot of damage if their powers fall into the wrong hands!

A Flash cookie is the most common type of super cookie.  In general terms, a super cookie is able to perform all of the functions of a regular cookie but the key difference is that they are able to store much more data.  In addition, they are much more difficult to find and delete. Consequently, they are also referred to as stealth cookies.

Flash cookies use a Flash plugin to hide the cookie from your browser’s native cookie management tool.  As such they can bypass each browser’s generic cookie security and privacy settings. Even more worrying is a flash cookie’s ability to transcend all browsers.  So if you use one browser for general surfing and another for secure banking transactions for example, it would have negligible security benefits.

Flash cookies can also hold far more data than a standard cookie.  It is not uncommon for flash cookies to hold 100KB of data compared to an HTTP cookies’ mere 4KB.  In mid 2016, the telecommunications company Verizon was issued with a $1.35 million fine for tracking customers with a unique identifier header (UIDH), also known as a “supercookie.”

Zombie Cookies

A zombie cookie is a particularly dangerous form of Flash cookie.  A zombie cookie can instantly recreate itself if someone tries to delete it. The recreation is made possible by a series of backups which are stored outside a browser’s regular cookie storage folder—often as a Flash Local Shared Object or as HTML5 web storage file.  Because Flash cookie stores a unique user ID in Adobe Flash player’s storage bin, Quantcast can reapply it to a new HTTP cookie if the old one is removed.

About Onvigil

Onvigil is one of the UK’s leading online marketing agencies serving the travel, technology and not-for-profit sectors. We are a fully accredited Google Partner.  If you have any questions about the integrity of your own cookies, your privacy policy or the effectiveness of your remarketing campaigns (Google Adwords or Microsoft / Bing Ad Centre) please don’t hesitate to get in touch.