Web Content & Formats
What is an HTTP cookie?
A small piece of data a server sends a browser, echoed back on subsequent requests to the same site—the standard mechanism for sessions and tracking.
When a server sets a Set-Cookie header, the browser saves the cookie scoped to the domain (and optionally path) that issued it. From then on, every request the browser makes to that scope includes a Cookie header echoing those values back. That round-trip is what lets a stateless protocol behave like a stateful application.
Cookies have attributes that govern their behavior: Secure (HTTPS only), HttpOnly (no JS access), SameSite=Lax|Strict|None (cross-site request rules), Max-Age (lifetime), Domain/Path (scope). For session cookies you want Secure, HttpOnly, SameSite=Lax and a short Max-Age, anything less is a vulnerability waiting to be exploited.
Third-party cookies, set by domains other than the page's, are how cross-site tracking historically worked. Safari and Firefox block them by default; Chrome's timeline keeps slipping but the direction is the same. Adtech has largely shifted to first-party cookies and server-side tracking as a result.
FAQ
Cookie vs localStorage?
Cookies are sent on every HTTP request; localStorage is read only by JS on demand. Cookies for session tokens (so the server sees them); localStorage for client-side preferences.
What does SameSite do?
It controls whether the cookie is sent on cross-site requests. Lax allows top-level GET navigations, Strict blocks all cross-site requests, None allows everything (and requires Secure).
Are cookies tracked by GDPR?
Yes. Any cookie that identifies a user is personal data under GDPR. Strictly necessary cookies don't require consent; analytics and ad cookies do.
Related terms
The application protocol the web is built on, a simple request/response format for asking a server for a resource.
HTTP encrypted with TLS, the same protocol, but every byte on the wire is authenticated and protected from eavesdroppers.
A prefix added to a parent domain to identify a separate section, app, or service, like `blog.example.com` or `api.example.com`.
The human-readable name that identifies a site on the internet, the part that maps to an IP address through DNS.