What are website cookies and where are they stored?

What are website cookies and where are they stored?

What are website cookies?

Cookies are usually small text files, given ID tags that are stored on your computer’s browser directory or program data subfolders.

Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customisation functions.

Where are Cookies stored?

The website stores a corresponding file (with the same ID tag) to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as your name, email address, etc.

Cookies are often indispensable for websites that have huge databases, need logins, have customisable themes, or sell items in an online supermarket.

What information do Cookies contain?

Cookies usually don’t contain much information except for the URL of the website that created the cookie, the duration of the cookie’s abilities and effects, and a random number. Due to the little amount of information a cookie contains, it usually cannot be used to reveal your identity or personally-identifying information. 

However, marketing is becoming increasingly sophisticated and cookies in some cases can be aggressively used to create a profile of your surfing habits.

There are two types of cookies: session cookies and persistent cookies. Session cookies are created temporarily in your browser’s subfolder while you are visiting a website. Once you leave the site, the session cookie is deleted.

On the other hand, persistent cookie files remain in your browser’s subfolder and are activated again once you visit the website that created that particular cookie. A persistent cookie remains in the browser’s subfolder for the duration period set within the cookie’s file. 

This time frame can range from 1 day to 9999 days, but the law makes it a requirement to limit the time to the purpose the cookie is used for.

Different types of cookies – seven types of cookies you need to know about

1. Session Cookies

Imagine trying to shop on Amazon if you couldn’t fill your cart until you were ready to check out. You’d have to remember all the items you wanted to buy as you browse the site.

Without session cookies, that situation would be a reality.

It’s easiest to think of session cookies as a website’s short-term memory. They let sites recognise you as you move from page to page within their domain. Without the session cookies, you’d be treated as a new visitor every time you clicked on a new internal link.

They do not collect any information about your computer, and they contain no personally identifiable information that can link a session to a particular user.

Session cookies are temporary; when you close your browser, your computer will automatically delete them all.

2. First Party Cookies

Also known as persistent cookies, permanent cookies, and stored cookies, first-party cookies are akin to a website’s long-term memory. They help sites to remember your information and settings when you revisit them in the future.

Without these cookies, sites would not be able to remember your preferences such as menu settings, themes, language selection, and internal bookmarks between sessions. With first-party cookies, you can make those selections on your first visit and they will be consistent until the cookie expires.

Most persistent cookies expire after one or two years. If you do not visit the site within the expiration time frame, your browser will delete the cookie. You can also remove them manually.

First-party cookies also play an important role in user authentication. If you were to disable them, you would need to re-enter your login credentials every time you visited a page.

On the downside, companies can use persistent cookies to track you. Unlike session cookies, they do record information about your browsing habits for the entire time that they are active.

3. Third Party Cookies

Third-party cookies are the bad guys. They are the reason that cookies have such a bad reputation among internet users.

Let’s take a step back. In the case of first-party cookies, a cookie’s domain will match the domain of the site you’re visiting. A third-party cookie originates from a different domain.

Because it is not coming from the site you’re looking at, a third-party cookie is not providing any of the benefits of session cookies and first-party cookies that we just discussed.

Instead, it has one sole focus – to track you. The tracking can take many forms; the cookies can learn about your browsing history, online behavior, demographics, spending habits, and more.

Because of their ability to track, third-party cookies have become a favorite of advertising networks in a bid to drive up their sales and page views.

4. Secure Cookies

The three types of cookies we’ve covered so far are the most well-known and the most common. But there are a few others you need to be aware of.

The first is a secure cookie. It can only be transmitted over an encrypted connection. Typically, that means HTTPS.

As long as the cookies “Secure” attribute is active, the user agent will not transmit the cookie over an unencrypted channel. Without the Secure flag, the cookie is sent in clear text and can be intercepted by unauthorized third-parties.

However, even with the Secure flag, developers should not use a cookie to store sensitive information. In practice, the flag only protects a cookie’s confidentiality. A network attacker could overwrite secure cookies from an insecure connection. This is especially true if a site has both an HTTP and HTTPS version.

5. HTTP-only Cookies

Secure cookies are often also HTTP-only cookies. The two flags work in tandem to help to reduce a cookie’s vulnerability to a cross-site scripting (XSS) attack.

In an XSS attack, a hacker injects malicious code into trusted websites. A browser cannot tell that the script should not be trusted. Therefore, the script can access the browser’s data about the infected site, including cookies.

A secure cookie cannot be accessed by scripting languages (like JavaScript), thus protecting it against such attacks.

6. Flash Cookies

A Flash cookie is the most common type of supercookie. In case you’re not aware, a supercookie performs many of the same functions as a regular cookie, but they are more difficult to find and delete.

In the case of Flash cookies, developers use the Flash plugin to hide cookies from your browser’s native cookie management tools.

Flash cookies are available to all browsers (so using one browser for your credit card and one for downloading torrents would have negligible security benefits). They can hold 100KB of data compared to an HTTP cookies’ mere 4KBb.

7. Zombie Cookies

A zombie cookie is closely tied to a Flash cookie. A zombie cookie can instantly recreate itself if someone deletes it. The recreation is possible thanks to backups stored outside a browser’s regular cookie storage folder – often as a Flash Local Shared Object or as HTML5 Web Storage.

The recreation relies on Quantcast technology. Because Flash cookie stores a unique user ID in Adobe Flash player’s storage bin, Quantcast can reapply it to a new HTTP cookie if the old one is removed.

What Are Cookies Used For?

Websites use HTTP cookies to streamline your web experiences. Without cookies, you’d have to login again after you leave a site or rebuild your shopping cart if you accidentally close the page. Making cookies an important part of the internet experience.

Based on this, you’ll want to understand why they’re worth keeping — and when they’re not.

Here’s how cookies are intended to be used:

  1. Session management. For example, cookies let websites recognize users and recall their individual login information and preferences, such as sports news versus politics.
  2. Personalisation. Customised advertising is the main way cookies are used to personalize your sessions. You may view certain items or parts of a site, and cookies use this data to help build targeted ads that you might enjoy.
  3. Tracking. Shopping sites use cookies to track items users previously viewed, allowing the sites to suggest other goods they might like and keep items in shopping carts while they continue shopping.

While this is mostly for your benefit, web developers get a lot out of this set-up as well.

Cookies are stored on your device locally to free up storage space on a website’s servers. In turn, websites can personalize while saving money on server maintenance and storage costs.

Why Cookies can be dangerous

Since the data in cookies doesn’t change, cookies themselves aren’t dangerous or harmful.

They can’t infect computers with viruses or other malware. However, some cyber-attacks can hijack cookies and enable access to your browsing sessions.

The danger lies in their ability to track individuals’ browsing histories.

Website Cookies are essential

Cookies are an essential part of the web, they make things work the way we want them to work, they remember what we put in shopping baskets, what colours we like, font size, and even language. They are a part of everyday surfing. We just need to know they are there and what they are doing.

Can you imagine having to remember what you wanted to order from Amazon and before you go to the checkout, you have your written list of goodies to buy. It would not make the shopping experience very good, that’s what cookies do, they make your experience more enjoyable.

Introducing CookieScan

CookieScan does all of this for you. It takes the worry away about not being compliant with the cookie laws, it collects consent and records it in case you are ever challenged. Once the code is embedded into your site’s header, CookieScan will regularly scan your site and identify all the cookies used. It will create your cookie policy or cookie notice for you and keep it up to date.

You can select the colour theme of the pop-up of the banner to match the colour theme of your website. You can select the type of banner you want to use, either a modal center placed pop-up or a banner placed at the bottom of the screen.

This will be displayed in any country that has a cookie law. In any country that does not have a cookie law, we will display an information-only banner to let the site visitor know cookies are being used and give them the option to look at the list of cookies on the site. Consent is not asked for, the continued use of the website is the implied consent needed.

How does CookieScan know what country has a cookie law or not?

We fitted a Geo-location feature to our scanner. This recognises the country the website is being viewed in and displays the appropriate popup or banner for that countries cookie requirement, very clever stuff. More importantly, it stops your website from annoying visitors by asking for cookie consent when it is not required.

Powerful Features

Other great features of CookieScan are the ability to use Google Tag Manager and Google Consent mode. These two features make life a lot easier for your marketing team, especially Google Consent Mode. This allows data to be provided even if the site visitor declines to allow the marketing or statistical cookies.

Before this when these cookies were declined, you lost all that data, so website owners were not putting cookie consent management software onto their sites and running the risk of being fined for non-compliance. They don’t have to run that risk anymore.

Geo-location we have already explained, but coming soon will be the ability to receive a data subject access request from your pop-up or banner. We are building a way that site visitors can use CookieScan as their complete data privacy compliance tool, requesting one of the GDPR rights, such as a request for data, objection to processing, correction of data and to comply with the CCPA a notification for their data not to be sold.

This is going to make CookieScan one of the best and far beyond the capabilities of our competitors. Watch out for this launch!


CookieScan will also soon be multilingual, so will be displayed in the language of the country it is being viewed in. At the moment we rely on Google Translate to change the language of the pop-up or banner and the cookie policy or cookie notice, this will soon be a thing of the past.

Visit www.CookieScan.com to find out more information and the benefits of using this fantastic cookie management software.

Ensure your website is PECR and ePrivacy compliant

Create a FREE CookieScan account today and start managing your cookie consent.

Get Started