Anatomy of a Cookie – An introduction

cookie

Cookies are ubiquitous. The internet as we know it could not exist without them. You might be very familiar with them as a digital advertiser. Or you might only know of them because you’re always told to clear “cookies and cache” whenever something isn’t working on your browser.

Within the digital advertising industry, most people could tell you that many sites use cookies to track users. Maybe they could tell you that they’re necessary for most forms of retargeting.

But if you ask anything more specific, all you get is a blank stare. 

What is a cookie, really? How do they work? What do they even look like? Where are they stored? 

These are the questions that we are going to address today. So sit tight, it’s time to learn about cookies. 

Everyone uses cookies, but very few people can tell you what they are. 

Definition

At it’s most basic level, a cookie is a tiny text file that a website places on the user’s browser when he is on the site. 

Their original purpose was to allow a site to recognize a returning user.

Why were they created?

The concept of the cookie was created in 1994 by a certain Lou Montulli at Netscape corporation (you remember them right?). He was trying to solve a problem for one of the early e-commerce sites. They wanted to be able to store information from shopping sessions but needed a way to recognize various users.

In the earliest websites, if you “added” something to your cart (this concept was fully threshed out yet) and then left, everything would disappear. You’d have to rebuild your shopping list all over again.

With the implementation of cookies in 1994, the modern internet shopping cart was born. Or at least the foundation for it was laid.

The first cookie didn’t serve any great purpose. It stored a single value on the Netscape browser: whether or not the user had visited the site before. 

But all great things have a humble beginning. Internet Explorer gained cookie support in 1995, and it took off from there.

Where are they stored

There is no one place that cookies are always stored. It depends on what browser and what operating system you use.

Initially, cookies were stored in a folder in an application folder attached to the browser. Nowadays, most modern browsers store them in a much more organized database file (generally an SQLite file).

We’ll quickly look at the most popular browser, Google Chrome, and where it stores cookies. 

Chrome

Chrome doesn’t store cookies in text (.txt) files like most browsers used to do back in the day. Now each one is stored in an SQLite file in the browser’s data folder. The folder’s location depends on the operating system you use.

Windows

C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Cookies

Mac OS X

~/Library/Application Support/Google/Chrome/Default/Cookies

(In lieu of “Default” you might have “Profile” with each profile having its own SQLite cookie folder)

What do they look like

Accessing an individual cookie isn’t always the easiest thing to do. Most browsers don’t want you messing with them beyond simply clearing them. They’re presented to the average user as a kind of on-off switch. You can either clear or leave your cookies. You can either accept them entirely or block them all.

But there is so much more to the world of cookies than this.

Though with Firefox extensions like cookiebro it is relatively straightforward. (You can also read the SQLite file directly with software designed to work with databases).

In order to understand just how small these small but powerful files really are, let’s take a look at one. 

Here’s a tracking cookie that I found on my browser:

Example 1

[
  {
     "domain": ".onecount.net",
     "name": "__ocgt",
     "value": "ALPHANUMERIC",
     "path": "/",
     "secure": false,
     "session": false,
     "expirationDate": 1883603303,
     "httpOnly": false,
     "hostOnly": false,
     "firstPartyDomain": "",
     "storeId": "firefox-default"
  }
]

Here you can see the “value” or the identifier that the site assigned to me. You can see the name of the domain that place (and therefore can read) the cookie, onecount.net. You can also see the browser I was using, Firefox. 

We can also see that it is not an httpOnly-enabled cookie. 

httpOnly is a tag that can be placed in cookies that makes them only available for access from the server end. They can’t be accessed from the client-side, that is to say, by scripts running on the browser. So httpOnly would, in theory, prevent javascript from accessing and reading the cookie. 

hostOnly is also marked as false. 

hostOnly is a tag that prevents a cookie from being accessed by a different subdomain of the placing domain. So if a hostOnly-enabled cookie is placed by one.site.com, it cannot be read by two.site.com. This can be very important for sites that allow third-parties to set up and use subdomains. 

Cookies also have to have an expiration date. If a server does not specify the expiration date when it is setting the cookie, the browser will delete the cookie the first time it is closed. These are “session” cookies because they only last as long as the browsing session.

Now if you look at the expiration date value, it doesn’t really make very much sense. There’s no clear year, month, day, hour, etc. That’s because it is a UNIX Timestamp. This particular one indicates that the cookie should expire at 02:08:23 on September 9th, 2029.

As you can see, it’s very specific! 

The secure tag is marked false. This means that the cookie does not require a secured HTTPS connection to be accessed. Were the flag marked “true,” the browser would block any HTTP access request.

Let’s look at another example.

Cookie Example 2

This cookie is a very simple one that I found while exploring my cookies.sqlite file. It was one of several placed on my browser by the DMEXCO conference website. 

Just by glancing at this one, we can see that it exists solely to mark my language. Sites do this in order to serve a user in his native language the next time he returns. 

Let’s break this one down.

[
     {
         "domain": "www.dmexco.com",
         "name": "pll_language",
         "value": "en",
         "path": "/",
         "secure": true,
         "session": false,
         "expirationDate": 1598357842,
         "httpOnly": false,
         "hostOnly": true,
         "firstPartyDomain": "",
         "storeId": "firefox-default"
     }
 ]

The domain tag indicates that it was placed by DMEXCO’s website. Remember, cookies can only be accessed by the domain that set them. 

The cookies name betrays its purpose as an interface language cookie. 

The value stored is “en,” the ISO language code for English. 

The cookie path “/” means that it is set to root. This setting means that the cookie is accessible to the entire domain, not just part of it. 

The secure flag is marked “true.” This means that access to the cookie requires HTTPS. Standard HTTP requests would be denied access to the cookie and the information it contains.

The session flag indicates that this is not a session cookie. 

The expiration flag indicates when the browser should remove the cookie. As we saw in Example 1, the actual date is stored in a UNIX timestamp. This timestamp, 1598357842, converted to a human-readable format is 12:17 PM August 25th, 2020. 

httpOnly is marked as “false,” meaning that client-side scripts can access the cookie. Again, were it marked “true,” only server-side requests would be given access.

hostOnly is also marked “false,” giving subdomains of dmexco.com access to the cookie. 

storeID marks that the cookie is stored in the default Firefox container.

As you can see, cookies are very small and simple. They store very little information themselves. In the case of tracking cookies, they most often store little more than an identifier. That identifier is then connected to information already stored about you on the server. So very little actual information about you is stored in the cookie. 

How many are on your computer

Cookies are used all over the internet and likely on the vast majority of websites that you access. So how many cookies are on your computer at a given time? Well, it’s not always easy to figure out without using a third-party tool or directly accessing the SQLite file.

According to cookiebro, I have 3,168 cookies present on Firefox. That’s without clearing my cookies in a little under two months and using the browser several hours per day almost every day.

If you browse the web a lot (or even just occasionally), but never clear your cookies, you could have even more. A lot more. 

And that’s just a small selection of the many, many pages of cookies that cookiebro retrieved from Firefox’s cookies.sqlite file. 

How are they used

Cookies are used for a wide variety of things. Some of these uses are simple as we saw with the DMEXCO interface language cookie. All it does it tell the site what language I used on the site the last time I was there. 

There are also more complicated cross-site tracking cookies such as we saw with our first example. 

The one thing to remember is that no matter how complicated or simple a cookie’s purpose might be, they all serve broadly the same goal: to allow a site to recognize a user. 

This might be very specific, insofar as login information or tracking information, but in the end the way they function is straightforward. 

An identifier is stored in the cookie that is matched to one on the server, therefore allowing the server to recognize. 

How are cookies used in digital advertising?

Cookies are an integral part of the modern digital advertising ecosystem. They allow for cross-site tracking, the understanding of user behavior, and a host of other things that have become almost standard in digital advertising. 

And without cookies, most retargeting techniques would be impossible. 

Retargeting is when a specific user has already engaged in some way and is then targeted again. Maybe he had subscribed to a magazine in the past, and an advertiser wants to make sure that he resubscribe. 

Perhaps he uses a particular SaaS platform, and the company wants him to upgrade to the more expensive plan. 

Or maybe he interacted with an ad or decided to watch an entire video ad rather than fast-forwarding through it. All of these things indicate that he might be very interested in the product and just needs a little bit of a push. 

All of these are potential use cases for retargeting. The user has already engaged in some way, and the advertiser thinks he is particularly likely to convert. 

But here’s an example of retargeting with which everyone is familiar. Have you ever been on an e-commerce site and added something to your cart and then left without purchasing? You might have noticed that many of the sites you visited next were offering exactly the same product from the same store at the same or even reduced prices. 

That’s retargeting. 

But wait you say. I thought only the domain that placed the cookie could read it again! So how does cross-site tracking work?

This is where the complicated world of pixels and cookie matching comes into play. 

Of pixels and cookies

It is correct that cookies can only be read by the domain that sets them. However, there is a way around this, and it’s called a “pixel.”

A pixel is a script that uses the HTML IMG tag to make a connection with a third-party server. This third-party server, once accessed, can then place a cookie attached to its domain on your browser — all without you accessing this site. 

Let’s look at the virtual shopping cart retargeting example. 

So you might load an e-commerce site, but in using it, a pixel (likely an Ad Network) places a third-party cookie on your browser. This cookie would contain a unique identifier that connects you to the shopping cart.

You then leave the site to read the local news. 

This news site naturally wants to monetize its traffic and, to do so, it has hooked into an Ad Network that serves ads on its website.

Now, the Ad Network, being the domain that placed the cookie, reads it, and realizes that you recently added some things to your cart on the site.

Since the e-commerce site was running a retargeting campaign, you see ads on the news site for the products that you recently added to the cart!

Of course, this is a very simplified way of looking at a complicated system. But one thing to understand is that the industry spends a lot of time and energy “cookie matching” to make targeted advertising possible.

Cookie Matching

Cookie matching is the process by which various players in digital advertising all keep track of the different identifiers (i.e., Cookie IDs) that they use for the same users. 

This way, other parts of the programmatic ecosystem can recognize an impression coming from a user with a given cookie ID. 

Various adtech and digital advertising companies are ceaselessly syncing their cookies with one another – all so they can better identify users.

First-party vs. Third-party

You likely hear the terms first-party and third-party said a lot in reference to cookies. So let’s quickly look at those terms as we finish up. 

First-party cookies are simply cookies placed by the domain that a user visited. These could track login information, shopping carts, language used, etc. But no matter their function, first-party cookies are always those placed by a site’s own domain. i.e., the cookies set by catworld.com when you visit the site.

Third-party cookies, on the other hand, are those placed by different domains than the one that you visited. If you visit catworld.com and it has a bunch of tracking pixels that place cookies from other domains, all of these would be considered third-party.

And third-party cookies have developed something of a bad rep.

Does the cookie have a future?

The third-party cookie has been so maligned; in fact, that key industry players are thinking of making the placement of third-party cookies nigh impossible. This month (September), Mozilla decided to block all third-party cookies in Firefox

And Google is not far behind. It is currently testing third-party cookie blocking in its Chrome browser. 

So the age of the third-party cookie seems to be coming to an end, luckily the adtech industry is already working on solutions. 

Conclusion

In internet years, the cookie is an ancient technology. Nonetheless, it is still a vital part of the internet as we know it today. It simply couldn’t function nearly so seamlessly as it does now if we took cookies out of the equation. 

For the last decade, they have also been a critical part of digital advertising. But with the privacy awakening that has been occurring over the last few years, certain kinds of cookies have become very unpopular with users and browser developers. 

Unfortunately, this technology is a central facet of much of a large portion of internet advertising.

But whether third-party cookies evolve into something new or are replaced outright with new technology, the cookie itself is here to stay.

And now that you understand cookies, you have a much better understanding of the internet itself. 


Mobinner is a High-Performance Demand-Side Platform. Since 2017, we’ve been helping clients build brands, acquire customers, and drive conversions. See what Mobinner can do for you. 



Leave a Reply

Your email address will not be published. Required fields are marked *