What Is a Browser Cookie?
A browser cookie is a small text file that a website stores in your browser to remember information about you between page loads and visits. Cookies keep you logged in, hold shopping cart contents, remember preferences, and let sites and advertisers track behavior for analytics and marketing. They are sent back to the server with each request, giving the otherwise stateless web a memory. Cookies come in first-party and third-party forms and are regulated by privacy laws worldwide.
- What it is
- A small text file a website stores in the browser to remember data
- First vs third party
- First-party set by the site you visit; third-party set by other domains for tracking
- Session vs persistent
- Session cookies expire when you close the browser; persistent ones have set lifespans
- Regulation
- Governed by GDPR, CPRA, and other privacy laws requiring notice or consent (privacy law)
What is a browser cookie? #
A browser cookie is a tiny piece of data that a website asks your browser to store, so it can recognize you or remember something on your next request or visit. The web is fundamentally stateless, meaning each page request is independent and the server does not inherently remember who you are between clicks. Cookies solve that by giving the web a memory. When you first visit a site, its server can send a cookie, a small labeled bit of text, that your browser saves. On every subsequent request to that site, your browser automatically sends the cookie back, letting the server recognize your session, recall your settings, or continue where you left off. Cookies are small by design, limited in size, and tied to the domain that set them. They power everyday conveniences like staying logged in and keeping items in a cart, but they also enable tracking, which is why they sit at the center of privacy law and the cookie banners explained at /wiki/what-is-a-cookie-banner.
How do cookies actually work? #
The mechanics of cookies are a simple exchange built into the web's protocol. When your browser requests a page, the server can include a Set-Cookie instruction in its response, telling the browser to store a name-value pair along with attributes like an expiration date, the domain and path it applies to, and security flags. Your browser saves it. From then on, every time you make a request to that same domain, the browser automatically attaches the matching cookies in the request headers, so the server sees them and can act accordingly, recognizing your logged-in session, for example. Cookies carry attributes that control their behavior: the Expires or Max-Age attribute sets how long they live, the Secure flag restricts them to HTTPS connections, the HttpOnly flag prevents JavaScript from reading them (an important defense against the cookie theft described in cross-site scripting attacks), and the SameSite attribute limits when cookies are sent with cross-site requests to reduce certain attacks. This quiet, automatic exchange happens on virtually every website you use, making cookies foundational to how the modern web functions.
What are cookies used for? #
Cookies serve three broad purposes. The first is essential functionality: keeping you logged in by storing a session identifier, holding the contents of a shopping cart as you browse, remembering security tokens, and maintaining state during multi-step processes like checkout. Without these, e-commerce and account-based sites simply could not work. The second is preferences and convenience: remembering your language, region, currency, dark or light mode, and whether you have dismissed a notice, so the site feels personalized on return visits. The third, and most scrutinized, is analytics and marketing: cookies let tools like Google Analytics count and understand visitors, and they let advertising platforms recognize users across sites to build profiles, retarget ads, and measure conversions. This last category is why cookies became a privacy flashpoint. For a local business, the functional and preference cookies keep the site usable, while the analytics and advertising cookies power the measurement and remarketing that make campaigns effective, which ties directly into how conversions are tracked and improved through /services/conversion-optimization and paid campaigns.
What is the difference between first-party and third-party cookies? #
The distinction between first-party and third-party cookies is central to both privacy and modern web changes. A first-party cookie is set by the website you are actually visiting, the domain in your address bar. These handle logins, carts, preferences, and the site's own analytics, and they are generally seen as benign and necessary. A third-party cookie is set by a different domain than the one you are visiting, typically embedded through advertising networks, social widgets, or trackers loaded on the page. Because the same third-party domain can be present across many different websites, it can recognize you as you move around the web and build a cross-site profile of your interests, which is the engine behind targeted advertising. This cross-site tracking is exactly what privacy regulators and, increasingly, browsers themselves have moved to restrict. Major browsers have blocked or are phasing out third-party cookies, pushing advertisers toward privacy-friendlier alternatives. Understanding which cookies your site relies on matters for both compliance and the future reliability of your marketing measurement.
What is the difference between session and persistent cookies? #
Cookies also differ by how long they last. A session cookie exists only for the duration of your browsing session; it is stored in memory and disappears when you close the browser. Session cookies are typically used for things that only need to last while you are actively using the site, such as maintaining your logged-in state during a single visit or holding a cart until you leave. Because they vanish automatically, they are lower-risk from a privacy standpoint. A persistent cookie, by contrast, is written with an expiration date and remains on your device until that date arrives or you clear it, surviving across sessions and even reboots. Persistent cookies enable remember-me logins, long-term preferences, and, notably, the durable tracking identifiers that analytics and advertising rely on to recognize returning visitors over days, weeks, or months. The lifespan of a persistent cookie is set by the site and can range from minutes to years. Privacy laws often care about persistent tracking cookies specifically, since they enable ongoing profiling, which is a key reason cookie durations must be disclosed in a cookie policy.
How do cookies relate to privacy and security? #
Cookies sit at the intersection of privacy and security, and they raise concerns on both fronts. On privacy, tracking cookies, especially third-party ones, enable detailed profiling of behavior across the web, which is why laws like the EU and UK GDPR and California's CPRA regulate them, requiring notice and often consent before non-essential cookies are set. That legal framework is why websites display the consent tools described at /wiki/what-is-a-cookie-banner and must document their cookies in a privacy policy, covered at /wiki/what-is-a-privacy-policy. On security, cookies are valuable targets because a session cookie can effectively be a key to a logged-in account; if an attacker steals it, they may impersonate the user without a password. This is the payoff of many cross-site scripting attacks and why the HttpOnly flag, which hides cookies from JavaScript, and the Secure and SameSite flags matter so much. Properly configured cookie attributes are a real security control, not a formality. Getting them right is part of hardening a site through /services/website-security, protecting both user accounts and the business.
What do privacy laws require for cookies? #
Because cookies can carry personal data and enable tracking, they fall squarely under privacy regulation, and the requirements vary by region. Under the EU and UK regimes, websites generally must obtain informed, opt-in consent before setting non-essential cookies, meaning analytics and advertising cookies cannot fire until the visitor agrees, and consent must be freely given and easy to withdraw. Strictly necessary cookies that make the site work are usually exempt from consent but should still be disclosed. In the United States, the model is typically opt-out under state laws like the CPRA, giving visitors the right to reject the sale or sharing of their data, often surfaced through a Do Not Sell or Share link. Practically, compliance means disclosing every cookie, its purpose, provider, and lifespan, usually in a cookie policy, and deploying a consent mechanism appropriate to your audience. A local business serving customers across states, or running ads, needs to handle this correctly to avoid complaints and platform issues. The full landscape is mapped at /wiki/website-privacy-laws-explained, and we help clients implement compliant consent as part of /services/website-security.
Are cookies going away, and what replaces them? #
Cookies are not disappearing entirely, but the tracking landscape is changing significantly. First-party cookies that handle logins, carts, and preferences remain essential and are not going anywhere; the web depends on them. What is under pressure is the third-party cookie used for cross-site tracking. Privacy-focused browsers like Safari and Firefox have blocked third-party cookies for years, and the broader industry has been moving to restrict them, pushing advertisers to adapt. The alternatives emerging include first-party data strategies, where businesses rely on data collected directly through their own site and consented relationships, server-side tracking, privacy-preserving measurement approaches, and identifiers based on logged-in relationships or hashed emails. For local businesses, the practical implications are twofold: measurement of ad performance is becoming more dependent on proper first-party setup and consent, and collecting your own audience through email and accounts grows more valuable. This shift makes clean analytics configuration and conversion tracking more important, not less, which is why we build robust, consent-aware measurement into campaigns and optimization work under /services/conversion-optimization, so your marketing keeps working as the cookie era evolves.
FAQ
What is a browser cookie in simple terms?
A cookie is a small text file a website stores in your browser to remember information about you between page loads and visits. It keeps you logged in, holds your shopping cart, remembers preferences, and can track behavior. The browser automatically sends it back to the site on each request, giving the web a memory.
What is the difference between first-party and third-party cookies?
First-party cookies are set by the site you are visiting and handle logins, carts, and preferences. Third-party cookies are set by other domains embedded in the page, usually for cross-site advertising and tracking. Browsers are increasingly blocking third-party cookies over privacy concerns, while first-party cookies remain essential.
Are cookies a security risk?
They can be. A session cookie is effectively a key to a logged-in account, so if an attacker steals it, they may impersonate the user without a password. That is why security flags matter: HttpOnly hides cookies from scripts, Secure restricts them to HTTPS, and SameSite limits cross-site sending.
What is the difference between session and persistent cookies?
Session cookies exist only while your browser is open and disappear when you close it, used for temporary state like a single-visit login. Persistent cookies have a set expiration date and remain on your device across sessions, enabling remember-me logins, long-term preferences, and durable tracking identifiers used by analytics and advertising.
Do I need consent to use cookies?
It depends on the cookie and region. In the EU and UK, non-essential cookies like analytics and advertising generally require opt-in consent before they fire. In most US states, an opt-out model applies. Strictly necessary cookies are usually exempt from consent but should still be disclosed in your privacy or cookie policy.
Are cookies being phased out?
Only third-party tracking cookies are under pressure; first-party cookies that power logins, carts, and preferences remain essential. Privacy-focused browsers already block third-party cookies, pushing advertisers toward first-party data, server-side tracking, and privacy-preserving measurement. This makes proper, consent-aware analytics and conversion tracking more important than ever for marketing.
Was this helpful?