What Are Cookies? Browser Storage Explained
Cookies are small key-value data pairs that a web server instructs a browser to store and automatically include in future requests to the same domain. They are primarily used for session management (keeping users logged in), personalisation, and tracking. HTTP is stateless; cookies are the primary mechanism for maintaining state.
Session vs Persistent Cookies
Session cookies have no expiry date — they are deleted when the browser session ends (tab/window closed). Persistent cookies have an Expires or Max-Age attribute, surviving browser restarts up to that date. 'Remember me' features set a persistent cookie. Authentication session tokens are typically session cookies to limit exposure if a device is shared.
Security Attributes
HttpOnly: prevents JavaScript (including XSS attacks) from reading the cookie. Secure: only sent over HTTPS connections. SameSite=Strict: cookie not sent with cross-site requests — prevents CSRF. SameSite=Lax: sent on top-level navigation but not subrequests (Google's default). SameSite=None; Secure: required for third-party cookies embedded in iframes.
Third-Party Cookies and Tracking
Third-party cookies are set by domains other than the page you're visiting — typically ad networks and analytics providers. They enable cross-site tracking: the same ad network cookie is present across many sites, building a profile of your browsing. Chrome is phasing out third-party cookies; alternatives include first-party data, server-side tracking, and the Privacy Sandbox proposals.