A cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Cookies are used to tell the server that users have returned to a particular website. When users return to a website, a cookie provides information and allows the site to display selected settings and targeted content.

Cookies also store information such as shopping cart contents, registration or login credentials, and user preferences. This is done so that when users revisit sites, any information that was provided in a previous session or any set preferences can be easily retrieved.

Advertisers use cookies to track user activity across sites so they can better target ads. While this particular practice is usually offered to provide a more personalized user experience, some people also view this as a privacy concern.


The cookie was created in 1994 by Lou Montulli of Netscape Communications to create a more seamless experience for people making commercial transactions online. The term "cookie" was derived from an earlier programming term, "magic cookie," which was a packet of data programs that kept data unchanged even after being sent and received several times.

Type of Cookies

Session cookie 

Session cookies are also known as transient cookies or per-session cookies. Session cookies store information while the user is visiting the website. These cookies are deleted once the user closes the session.

Persistent cookie 

Persistent cookies are stored for a specific length of time. These cookies remain on your device until they expire or are deleted. Persistent cookies are sometimes called tracking cookies because they are used to collect user information such as browsing habits and preferences.

First-party and third-party cookies 

First-party cookies are cookies set by websites that users directly visit. These cookies often store information that is relevant or related to the site, such as preferred settings or user location.

Third-party cookies are cookies that come alongside third-party content, such as embedded videos, ads, web banners, and scripts, on a visited website that users visit. Advertisers often use third-party cookies to track user behavior.


Supercookies are similar to session cookies in that they also track user behavior and browsing history. However, they also have the ability to re-create user profiles, even after regular cookies have been deleted. Supercookies are also stored in different places than standard cookies. This makes detecting and removing them more difficult for the average user.  Supercookies are sometimes called "zombie cookies" or "evercookies."

Flash cookie 

Flash cookies or "local shared objects" [LSOs] are data files that are stored on computers by websites that use Adobe® Flash®. Like browser cookies, Flash cookies can store user information in Flash applications. Flash cookies are sometimes used by sites as "backup" once the browser cookie is deleted.

Security and privacy risks

While cookies cannot carry or install malware onto computers, they can be exploited by cybercriminals for their malicious schemes. Notable cases are listed below:

  • In November 2010, the Koobface worm was observed searching for cookies related to Facebook and using the stolen credentials to log in to victims’ accounts.
  • In May 2011, an Internet Explorer® zero-day bug was exploited to hijack session cookies using social engineering tactics.
  • In July 2011, an attack on numerous e-commerce websites used a malware that searches for internet caches, cookies, and browsing histories in order to steal login credentials and other data.

Cookies have long been viewed as having serious implications with user privacy. In 1996 and 1997, cookies were the topic of the US Federal Trade Commission hearings. The Internet Engineering Task Force [IETF] formed a special working group to address the specifications of cookies. In February 1997, the IETF specified that third-party cookies were not allowed, or at least enabled by default. This recommendation was superseded in October 2000. The newer standard in 2011 allows the use of third-party cookies, but users can choose to not accept them.

Other efforts to address possible privacy issues include the "Do Not Track [DNT]" header mechanism for browsers. Once enabled, the DNT header will notify that users do not want to be tracked and that any tracking or cross-site user tracking must be disabled. Mozilla Firefox® was the first browser to implement the feature, followed by Internet Explorer, Safari®, Opera, and Google Chrome™.

What should users do?

  • Tweak built-in browser settings to delete and manage cookies, or enable third-party cookie blocking.
  • Opt not to use cookies in websites (though this can limit functionality)

Related terms: Cache


Products : Trend Micro Browser Guard