If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Web cookies

AP.CSP:
IOC‑2.A (LO)
,
IOC‑2.A.3 (EK)
,
IOC‑2.A.7 (EK)
,
IOC‑2.B.11 (EK)
The web is not private by default. Websites often use cookies to track user actions on their site and even across other sites.
Websites track user history in order to improve their services. As both users and creators of software, it's important for us to understand how they track that data and how much control users have over that tracking.

What's a cookie?

An HTTP cookie is a small amount of text that helps a website track information about a user across multiple pages of the website and personalize the user's experience on the website. If you've ever logged into a website, a cookie kept you logged in across multiple pages.

The cookie process

Let's walk through how a cookie is actually set. (If you're feeling fuzzy on the HTTP protocol, this is a good time to review HTTP & HTML.)

Step 1: Browser requests a website

Imagine a user that navigates to a website for the first time--or at least, the first time from that particular browser. The browser sends an HTTP request to the server that hosts the website.
GET /index.html HTTP/1.1
Host: www.shoopshop.com

Step 2: Server sends cookie with response

The server sends back an HTTP response and includes a Set-Cookie header in that response.
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: sessionId=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
...
The cookie contains a name (sessionId) and a value (abc123), plus an expiration date for the browser to clear this cookie from its memory.
If it wants to set multiple cookies, it adds more Set-Cookie headers to the response.

Step 3: Browser stores cookie

The browser saves the cookie information, storing it on the user's hard drive. That way, the data will persist even after restarting the browser or computer. That's why this type of cookie is called a "persistent cookie".
There are also "session cookies", cookies with no expiration date which are always deleted when the browser is shut down.

Step 4: Browser sends cookies with requests

When the user navigates to a different page on the website, the browser sends along the stored cookies with each HTTP request.
GET /shop.html HTTP/1.1
Cookie: sessionId=abc123

Step 5: Server personalizes response

When the server receives the HTTP request, it inspects the cookies and sees that this request is coming from a user with a known sessionId. It can then look up that session ID in its database and use any information about the session to personalize the response.

Use cases for cookies

There are many ways a website can use cookies to personalize an experience. A search engine can use them to remember how many results a user prefers seeing per page. A news site can use them to recommend headlines that are similar to the articles you've already read. All sorts of websites can use cookies to track analytics, like how long you spent on a page and which buttons you clicked.
Any website with a log-in uses a cookie to keep you logged in on every page of the site. When you log out of that site, it clears the cookie and doesn't set it again until you login again.
🔍 You can see for yourself what cookies are being sent from a browser to a website by following the steps in this wikiHow tutorial.
Here's a screenshot of a handful of the cookies used by Khan Academy:
Screenshot of Chrome developer tools on a Khan Academy page. "Application" tab is selected, and "Cookies" is expanded on the side. A table of cookies is shown, with names and values for each cookie.
The cookies that start with "KA" all help in identifying the current user, and the "_ga" cookie is used by Google analytics.
These are not my account's actual cookies; you should never share your cookies since others could use them to impersonate your account. You should, of course, share any and all chocolate chip cookies. 🍪

Third-party cookies

Each cookie stored by a browser is associated with a domain and path. When you visit a website and its server sends back an HTTP response with a cookie, the browser associates that cookie with the domain of the server. That's called a first-party cookie.
However, a website can also include resources from other domains, like an image, iframe, or script. When the browser requests those resources, their servers can also send back cookies, which will now be associated with their domain. These are called third-party cookies.
A 2016 study found that the average website loaded in about 20 third-party cookies, and the average news site loaded double that amount.
What are they doing with all those cookies? Most third-party cookies are used for advertising. Imagine a user that visits a food blog with a recipe for gluten-free cookies. That blog includes a Facebook ad with a cookie. The user then visits facebook.com and notices a sudden uptick in ads about gluten-free products. That's not a coincidence, that's cookies!
Since third-party cookies serve a very different purpose than first-party cookies and infringe more on the privacy of web users, browsers have made it possible to disable third-party cookies entirely. You can try that yourself following the steps in this HowToGeek article.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • mr pants purple style avatar for user purplebanane12
    So Khan Academy uses cookies? I thought it was stored in there data base instead of our computer....
    (7 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Kathryn Abernathy
    What if the third party uses your information for something else or even sells your information?
    (5 votes)
    Default Khan Academy avatar avatar for user
  • duskpin ultimate style avatar for user User Name
    Can one use persistent cookies to download malware to a computer? After all, they are stored on the computer hard drive.
    (4 votes)
    Default Khan Academy avatar avatar for user
    • leaf green style avatar for user Shane McGookey
      Cookies are traditionally meant to be beneficial to the user; for example, cookies can be used to remember a user's preferences for a particular website.

      However, cookies can also be used maliciously. You mentioned "downloading malware" in your post, but cookies do not install any software (malware is a type of software, and the name malware is a portmanteau of malicious and software). Rather than downloading malware, cookies can be used to track the activity of a user.

      For example, a collection of websites can work together to store cookies of a certain name and type, such that they can work in aggregate to track their user's visitation habits to any of their websites. Likewise, if a website has many advertisements, cookies can be used to determine which of the advertiser websites the user visits (with the host website working in collaboration with the advertiser website).

      In this sense, these "tracking cookies" can be considered as a variant of spyware, but no software is being downloaded to a user's machine through the cookies.
      (9 votes)
  • leafers sapling style avatar for user green_ninja
    Hi!

    How can I determine whether a website uses persistent cookies or session cookies?
    (4 votes)
    Default Khan Academy avatar avatar for user
  • purple pi teal style avatar for user Yogesh Sheoran
    Why there are only two cookies , first-party cookies and third-party cookies . Why there is no second party cookies?
    (3 votes)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user brudda osas
      "first, second, and third party" is terminology for the people in a conversation.

      The server is doing the talking (sending you stuff) so its the first party, you are doing the listening so you are the second party, and another server (iframes etc) is the third party.

      there are no second party cookies coz you don't set cookies for yourself
      (4 votes)
  • blobby green style avatar for user haq.haris28
    So third party cookies are cookies loading by other websites not related to the current website you are browsing?
    (5 votes)
    Default Khan Academy avatar avatar for user
  • primosaur seedling style avatar for user PageRipper
    are some ads safe or not espisily for younger children and what kind of ads should we stay away from?
    (5 votes)
    Default Khan Academy avatar avatar for user
  • spunky sam blue style avatar for user Darsh
    so is pii more important then cookies?
    (2 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user :)
      Yes with Pii you can identify a person(their name age and everything that makes them,them!) while cookies are just there to track what you're doing on a website.
      (6 votes)
  • leaf blue style avatar for user Jesse Fleskes
    Why do cookie steal our information?
    (3 votes)
    Default Khan Academy avatar avatar for user
  • duskpin ultimate style avatar for user Merren
    are the sites that are linked safe?
    (3 votes)
    Default Khan Academy avatar avatar for user