Sign Up

How Do Websites Use Cookies to Track You? | Onlinesim

  • Nov 29, 2022, 12:39 PM
  • 9 minutes

If you log in to a site and then close the browser, most likely, you will not need to sign in to your account again when you reopen the browser. This is possible because the site stores cookies on your computer for automatic sign-in.

Cookies are also used for content and ads personalization, surveillance, information or money theft.

The third article from the cybersecurity series will tell you what cookies are and how they are used for tracking.

What Are Cookies?

They are small text files that a web server creates when you visit a site. These files are stored on your computer and sent back to the site when you revisit it. Cookies contain user activity information, browser or PC settings, etc.

Cookies collect your browsing and search history, autofill form information, and location. The amount of information collected depends on each site.

You can avoid cookie tracking by using incognito mode in the browser. In this mode, only single-session cookies are collected; after you close an incognito window, they get deleted.

What Do Cookies Consist Of?

Cookies are bits of text code.

They look like this:

Set-Cookie: __Secure-name=value; max-age=31536000;; path=/; secure; httponly; samesite=lax

Every word corresponds to a specific attribute:

  • The Name attribute indicates the name of the cookie.
  • The Value attribute helps to identify the user and contains service information.
  • The Expires and Max-age attributes determine the browser cookie lifetime. When this period expires, cookies are deleted.

If this attribute is zero, cookies are automatically deleted after closing the browser.

The Expires attribute is specified in the format Mon, 08-Aug-2022 13:35:22 GMT. The Max-age attribute shows the cookie's expiration time in seconds |from the moment the attribute was set up in the browser.

  • The Path attribute limits the scope of cookies to a specific path on the site. If you set the root directory "/," cookies will be available for all site pages.
  • The Domain attribute refers to a domain or subdomain that can view the cookies. To make cookies available to the entire site, the domain name "" should be specified.
  • The Secure attribute defines that cookies are sent through a secure HTTPS connection.
A regular HTTP connection does not use SSL or TSL encryptions.
  • The HTTPonly attribute blocks access to JavaScript cookies usingdocument.cookieproperty. It resists cross-site information theft.
  • The Samesite attribute controls cross-site cookies transmission. It protects against Cross-Site Request Forgery (CSRF).
CSRF is an attack carried out by afraudulent website or script. It forces a user to execute an unwanted action on a trusted site to which a user is logged in. A person must follow a hacker's link to make the attack work.

For example, a user logs in to a banking account and clicks a hacker's link with a request to transfer money to the thief's account. The bank will process the transaction without the user's knowledge because the user is signed in.

Types of Cookies

Session. These browser cookies are stored only for a period when a person is visiting a site. When a person closes the browser, they are deleted.

Permanent. Permanent cookies are stored until they expire. They are sent to the site every time a person visits it. Permanent cookies are divided into:

  • First-party Cookies are directly stored by the site you are visiting. They are not available to other domains. Such cookies help automatically log you in and store your shopping cart content.
  • Third-party cookies are created by the sites that you are not visiting. For example, there is a Twitter sharing button on Such sharing buttons generate cookies that are usually ad trackers. They help sites set up targeted advertising.

Secure. Secure cookies can be sent only via HTTPS protocol.

HTTPonly. They protect against cross-site information theft and are not available via API.

Zombie. They recreate themselves even after they are deleted. The copies are stored separately from other browser cookies, for example, on the Internet or in hidden folders on a PC.

Supercookies. They are the same as regular ones. Supercookies track user behavior and browsing history. The difference is that they do not use local storage but servers and other places. They can recreate user profiles even after deleting regular cookies.

Supercookies depend on HTTP connections, so making an encrypted connection stops their functioning. Thus, you should visit only HTTPS (those that useSSL or TLS certificates) sites to avoid supercookies tracking.

Why Are Browser Cookies Used?

Remembering login information and products that a person wants to buy. Cookies improve user experience and facilitate the use of the site.

Linking a user and a website. Browser cookies correspond to the user's session and a specific account. The next time a person visits the sites, they will see personalized ads.

Tracking the sites a user visits. The information is sent to the server and then back to the site when a person revisits it.

Analyzing users' actions. Sites use Google Analytics and other legitimate web analytics tools. They collect information using cookies that are created automatically and sent to the server.

Website owners use web analytics tools to develop and improve their sites and collect information about their target audience.

Why Do Websites Warn About Cookies?

Websites inform users about the use of cookies because they are subject to the GDPR (General Data Protection Regulation) privacy law. If a European resident visits a site, the site has to warn about cookies. And then, a person can accept information processing if they want.

Some sites collect cookies that are necessary for their operation even without the user's consent.

In China, the government collects cookies to assess a person's reliability based on their visited pages. It affects the decision to issue a loan or determine the insurance cost.

Are Cookies Safe?

The browser's cookie itself is safe and cannot harm a user. It is a plain-text code that just contains information, not malware. They cannot make copies of themselves and spread to other networks to execute again.

However, hackers and fraudsters who use cookies for their own purposes can harm users. For example, they can link a real person with their online activity and use this information for unwanted advertising, surveillance, information or money theft.

Cookies are often used to commit fraud. Here are a few stories:

In November 2010, a network worm Koobface used Facebook users' cookies to steal account credentials.

In 2019, the copies of ad blocking services AdBlock and uBlock used cookies for their purposes. They secretly added cookies to users' browsers that had installed extensions and changed cookies files. The ad blockers used an attribute to ensure that the extension creators would receive a commission on every payment.

In 2021, hackers took over famous YouTube accounts and sold the login information on other sites.

Disadvantages of Cookies

Inaccurate identification. Any person who uses multiple accounts and browsers has numerous sets of cookies. A similar applies to one account used by several people: cookies do not apply to a specific user but to the account as a whole.

Cookie stuffing. Hackers may steal and edit cookies. For instance, cookies contain information about the cost of an item, and hackers can change the amount of payment and pay less.

Cookie Theft. Cybercriminals hack a person's session and steal cookies or send them to another server to get personal information. They can use this information to log in to their social media accounts, email, or other sites. Credit or debit card details are often stolen if they are stored on the site and in cookies.

Cross-site cookies. Sites can exchange information collected from cookies with each other. In other words, they sell users' personal information.

Performance issues between a client and a server. Cookies can give incorrect information to servers. For example, a person accepts cookies in an online store, adds an item to the shopping cart, then changes their mind and clicks the back button, but the item is still in the cart. It may lead to ordering the wrong items and decreasing business trustworthiness.

Cookie lifetime. Permanent cookies have been criticized for allowing sites to monitor users' activity constantly and making a target audience portrait. Hackers can also use them for information theft.

What Happens if You Disable Cookies?

Auto-login will be unavailable. If you disable cookies, some sites will forget you, and you will not be able to log in to your accounts automatically. You will have to re-enter your login credentials after refreshing a page or navigating to another section of the site.

You will have to fill in forms on your own. When you fill in a form, your browser saves this data and shows up as suggestions later. It will not be available without cookies.

Sometimes sites that use multi-page forms may work incorrectly without cookies. So if the site reloads, you will have to fill in the information again.

Personalized ads will not work. It will be more difficult for sites to track user activity. They will not be able to check which resources you visit and will stop offering personalized ads. Most likely, the ads will not match your interests.

The items in shopping carts will be lost. When you add items to a shopping cart, the server uses cookies to remember them. And when you disable them, sites will not be able to keep your products in the shopping basket.

How to Disable Cookies?

Disabling cookies will log you out of all your accounts. So you will have to log in again.

Disabling Cookies in Google Chrome

  1. Go to settings. To do so, click on the three dots in the top-right corner → select settings.

  2. Click on Privacy & Security → click on Cookies and other site data

  3. Click on the appropriate option. If you want to turn off only third-party cookies, click Block third-party cookies.

Disabling Cookies in Mozilla Firefox

  1. Go to settings. Click on the three horizontal lines in the top right corner → select settings.
  2. Select the Privacy & Security panel 
    Disabling cookies in Mozilla Firefox

  3. Go to the Custom section. Open the list of cookies and select which ones you want to disable: third-party or all cookies.

Firefox cookie protection works by creating a separate “cookie jar” for each website you visit. It means a website makes its own cookies and has no access to other cookies.

This allows to maintain website functionality and prevent ad tracking. In addition, this function is activated by default - you do not need to turn it on.

Mozilla’s Cookies Protection

Total cookies Protection does not isolate cookies from different open tabs under the same domain. So for example, if you have Gmail, Google Weather, and Google Shopping open, Google will know that you have three tabs open and connect their cookie trails.

You can solve this problem by installing container extensions. This way every site will have access only to its cookies even if several Google services are opened in the browser or if a site has embedded Facebook widgets. To get such extensions, go to Mozilla Add-ons and type in the search bar “container”.

Keep in mind, not all extensions are official. Read reviews and check star ratings before installing anything.

The other option is to use different accounts for sign-in.

Disabling Cookies in Opera

The steps are the same as in Google Chrome: go to settings → click on Privacy & Security → click on Cookies and other site data.

Disabling cookies in Opera