Third-Party Cookies Explained
For reasons I don’t understand, the subject of HTTP cookies tends to attract confusion, vague understanding, and outright misinformation. For instance, you may have read that cookies are scripts, or “programs”, or software, all of which are untrue. You may have read that cookies can transmit viruses or install malware on your computer. Also untrue.
The misunderstandings grow further when you get into the matter of different types of cookies: first-party cookies, third-party cookies, Flash cookies, etc.
This post is concerned with third-party cookies, a subject I’ve singled out because of its day-to-day relevancy, importance to user privacy, and ease with which users can exercise control of it. It’s also something that I find even web developers can be easily confused about.
I hope this provides a clear understanding of how third-party cookies work and answers some of the questions you may have. First…
There’s no such thing as a third-party cookie
Right? OK, I’ll explain. Your browser maintains a collection of cookies. It receives a request from a website to store a cookie and it adds the cookie to the collection. There isn’t a collection of first-party cookies and a collection of third-party cookies, there’s just a collection of cookies.
The thing to understand is that there is no intrinsic difference between a first-party cookie and a third-party cookie. There are just cookies. The distinction only exists at runtime, within the context of a particular visit.
If a cookie is associated with a file requested from the same domain as the page you are viewing, it’s a first-party cookie. A cookie associated with a file requested from a different domain is a third-party cookie. That’s it.
Notice that the same cookie can be a first-party cookie one moment and a third-party cookie the next. For instance, when you visit twitter.com your browser sets several cookies associated wth the *.twitter.com domain name. In the context of your stay on Twitter these are first-party cookies. If you then visit huffingtonpost.com, Huffington Post requests files from twitter.com and those requests include the same *.twitter.com cookies, which are now third-party cookies.
What’s a cookie again?
We’ll do this real quick. (Begin obligatory http-request-as-casual-conversation-to-explain-how-cookies-work):
You visit a website and your browser starts requesting all the files that constitute the website. So your browser asks the server, “Can I have sleepy-cat.gif?” and the server is like, “Yeah, here you go oh and take this thing and bring it with you when you come back for more files. So I know it’s you.” Your browser says “kthxbye” and then returns a nanosecond later: “Hi can I have invisible-bike-cat.jpg? Oh and here, I have this thing.” And then the server goes, “Oh it’s you.”
At this point you’ve probably figured out that the mentioned thing is the cookie. That’s far from a complete description and it doesn’t explain why a server might want to recognize a browser but that’s stuff you can easily look up elsewhere and also I said we were going to keep this short.
Cookies are powerful
So in a sense, cookies connect the dots for the server. Without cookies there’s no way for the server to know that the requests for sleepy-cat.gif and invisible-bike-cat.jpg came from the same browser—from the same user.
There’s the rub. Cookies enable servers to aggregate requests—and thus data—around a particular user.
At the first-party level this is (mostly) all well and good. If you’re logged into Twitter the server uses a cookie to maintain your session, letting you stay logged in with each request.
But third-party cookie transactions perform no such value and instead tend to be used for behind-the-scenes tracking purposes. Again, if you’re reading an article on the Huffington Post, identification information is sent back to Twitter when the requests are made for the Tweet and Follow buttons. And just to be clear, you don’t have to interact with these buttons for the cookies to be sent. They are sent automatically as soon as the page loads.
Network inspector screenshot showing third-party cookie sent to Twitter.
What happens when you disable third-party cookies
So third-party cookies can be pretty gross. The good news is that you have the ability to shut this whole party down by disabling third-party cookies in your browser preferences. Disabling third-party cookies does two things.
One, it prevents HTTP responses and scripts from other domains from setting cookies. The instruction to store a cookie is simply ignored.
Is that enough? Just block third-party cookies from being set? Nope. Because you’ll remember that there is no intrinsic difference between first- and third-party cookies and that the same cookie can act as both in different contexts.
So the second thing disabling third-party cookies does is remove cookies from requests to domains that are not the document origin domain. In other words cookies are only sent to the current site that you’re viewing.
Privacy
I want to mention that not all third-party cookie activity is part of a data mining effort to stalk you across the web. Once a cookie is set the receiving site has no say about when the cookies are sent. They’re simply sent all the time. So just because a cookie is pinned to a request doesn’t mean the receiving server is tracking your activity.
In other cases, tracking your activity across different sites is exactly what the third-party cookies are for.
As users, most of us have an interest in protecting our privacy. Disabling third-party cookies is recommended for anyone concerned with privacy, as it can drastically reduce the amount of data collected about what we do online.
If you make websites you also have to worry about the privacy of your users. This means being aware of the privacy implications of third-party code and knowing how these vendors use third-party cookies. (Aaron Gustafson wrote a great post about this a few weeks ago. You should check it out. Link below.)
I hope this helped with your understanding of third-party cookies. If you have any questions or recommended additions/subtractions, please leave a note in the comments.
Related Articles
- Don’t Sell Out Your Users by Aaraon Gustafson
- HTTP Cookies Explained by Nicholas Zakas
- Serving Static Content from a Cookieless Domain by Me
Discussion
There was some more good discussion about third party cookies and the philosophical questions surrounding it on one of my favorite podcasts Security Now.
Here’s a transcript of the conversation, with the third party cookie discussion happening at the beginning of the transcript.
http://www.grc.com/sn/sn-342.htm
I feel it’s of worth to mention that there are also situations in which third-party cookies are used beneficially, such as with websites that enable comments through a separate commenting system like Facebook or Disqus. There, while the cookies are undoubtedly used for tracking purposes, they are also used to enable functionality within the site.
Best kind of article! Packed full of usable info and cute.
Good information!
I’ve come across a scenario where 3rd party cookies are
used in another way, don’t know if it’s a good solution though:
Webpage A is a webpage with financial information where you have to log in, in order to access real time data.
Webpage B is another financial webpage with other content, and in order to merge the two, B has added in iFrame that links to a widget hosted by A.
Since the user needs to be logged in, disabling 3rd party cookies will disable this functionality.
Really accessible and concise description. Extremely helpful.