Third-Party Cookies Explained

For reasons I don’t understand, the subject of HTTP cookies tends to attract confusion, vague understanding, and outright misinformation. For instance, you may have read that cookies are scripts, or “programs”, or software, all of which are untrue. You may have read that cookies can transmit viruses or install malware on your computer. Also untrue.

The misunderstandings grow further when you get into the matter of different types of cookies: first-party cookies, third-party cookies, Flash cookies, etc.

This post is concerned with third-party cookies, a subject I’ve singled out because of its day-to-day relevancy, importance to user privacy, and ease with which users can exercise control of it. It’s also something that I find even web developers can be easily confused about.

I hope this provides a clear understanding of how third-party cookies work and answers some of the questions you may have. First…

There’s no such thing as a third-party cookie

Right? OK, I’ll explain. Your browser maintains a collection of cookies. It receives a request from a website to store a cookie and it adds the cookie to the collection. There isn’t a collection of first-party cookies and a collection of third-party cookies, there’s just a collection of cookies.

The thing to understand is that there is no intrinsic difference between a first-party cookie and a third-party cookie. There are just cookies. The distinction only exists at runtime, within the context of a particular visit.

If a cookie is associated with a file requested from the same domain as the page you are viewing, it’s a first-party cookie. A cookie associated with a file requested from a different domain is a third-party cookie. That’s it.

Notice that the same cookie can be a first-party cookie one moment and a third-party cookie the next. For instance, when you visit twitter.com your browser sets several cookies associated wth the *.twitter.com domain name. In the context of your stay on Twitter these are first-party cookies. If you then visit huffingtonpost.com, Huffington Post requests files from twitter.com and those requests include the same *.twitter.com cookies, which are now third-party cookies.

What’s a cookie again?

We’ll do this real quick. (Begin obligatory http-request-as-casual-conversation-to-explain-how-cookies-work):

You visit a website and your browser starts requesting all the files that constitute the website. So your browser asks the server, “Can I have sleepy-cat.gif?” and the server is like, “Yeah, here you go oh and take this thing and bring it with you when you come back for more files. So I know it’s you.” Your browser says “kthxbye” and then returns a nanosecond later: “Hi can I have invisible-bike-cat.jpg? Oh and here, I have this thing.” And then the server goes, “Oh it’s you.”

At this point you’ve probably figured out that the mentioned thing is the cookie. That’s far from a complete description and it doesn’t explain why a server might want to recognize a browser but that’s stuff you can easily look up elsewhere and also I said we were going to keep this short.

Cookies are powerful

So in a sense, cookies connect the dots for the server. Without cookies there’s no way for the server to know that the requests for sleepy-cat.gif and invisible-bike-cat.jpg came from the same browser—from the same user.

There’s the rub. Cookies enable servers to aggregate requests—and thus data—around a particular user.

At the first-party level this is (mostly) all well and good. If you’re logged into Twitter the server uses a cookie to maintain your session, letting you stay logged in with each request.

But third-party cookie transactions perform no such value and instead tend to be used for behind-the-scenes tracking purposes. Again, if you’re reading an article on the Huffington Post, identification information is sent back to Twitter when the requests are made for the Tweet and Follow buttons. And just to be clear, you don’t have to interact with these buttons for the cookies to be sent. They are sent automatically as soon as the page loads.

Screenshot showing Twitter third party cookie data on Huffington Post

Network inspector screenshot showing third-party cookie sent to Twitter.

What happens when you disable third-party cookies

So third-party cookies can be pretty gross. The good news is that you have the ability to shut this whole party down by disabling third-party cookies in your browser preferences. Disabling third-party cookies does two things.

One, it prevents HTTP responses and scripts from other domains from setting cookies. The instruction to store a cookie is simply ignored.

Is that enough? Just block third-party cookies from being set? Nope. Because you’ll remember that there is no intrinsic difference between first- and third-party cookies and that the same cookie can act as both in different contexts.

So the second thing disabling third-party cookies does is remove cookies from requests to domains that are not the document origin domain. In other words cookies are only sent to the current site that you’re viewing.

Privacy

I want to mention that not all third-party cookie activity is part of a data mining effort to stalk you across the web. Once a cookie is set the receiving site has no say about when the cookies are sent. They’re simply sent all the time. So just because a cookie is pinned to a request doesn’t mean the receiving server is tracking your activity.

In other cases, tracking your activity across different sites is exactly what the third-party cookies are for.

As users, most of us have an interest in protecting our privacy. Disabling third-party cookies is recommended for anyone concerned with privacy, as it can drastically reduce the amount of data collected about what we do online.

If you make websites you also have to worry about the privacy of your users. This means being aware of the privacy implications of third-party code and knowing how these vendors use third-party cookies. (Aaron Gustafson wrote a great post about this a few weeks ago. You should check it out. Link below.)

I hope this helped with your understanding of third-party cookies. If you have any questions or recommended additions/subtractions, please leave a note in the comments.

Related Articles
Both comments and pings are currently closed.

Discussion

Micah

There was some more good discussion about third party cookies and the philosophical questions surrounding it on one of my favorite podcasts Security Now.

Here’s a transcript of the conversation, with the third party cookie discussion happening at the beginning of the transcript.
http://www.grc.com/sn/sn-342.htm

joequincy

I feel it’s of worth to mention that there are also situations in which third-party cookies are used beneficially, such as with websites that enable comments through a separate commenting system like Facebook or Disqus. There, while the cookies are undoubtedly used for tracking purposes, they are also used to enable functionality within the site.

Dwayne McCalister

Best kind of article! Packed full of usable info and cute.

Christian

Good information!

I’ve come across a scenario where 3rd party cookies are
used in another way, don’t know if it’s a good solution though:

Webpage A is a webpage with financial information where you have to log in, in order to access real time data.
Webpage B is another financial webpage with other content, and in order to merge the two, B has added in iFrame that links to a widget hosted by A.
Since the user needs to be logged in, disabling 3rd party cookies will disable this functionality.

Michele

Really accessible and concise description. Extremely helpful.

Graham Cee

Does enabling or disabling cookies, 1st or 3rd party, have any impact on performance? For instance I’ve noticed when web pages are slow to load they seem to be loading ad based content.

Kim Mason

I did some investigation into this 2 years ago. At that time, turning off 3rd party cookies in Chrome and Safari only prevented them from being set by 3rd parties, not sent to 3rd parties.

Firefox actually blocked all cookie exchange between your browser and 3rd party websites. I didn’t test Opera or IE.

I’m not sure how the current versions behave.

Kim Mason

… after some investigation, I have discovered that Firefox now implements 3rd party cookie blocking by only blocking the setting of 3rd party cookies, not the sending. See:

http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/

So it looks like if you want to completely block 3rd party cookies from even being sent, you’ll need to use other tools.

Daniel

Nice article.

What you say about 3rd party cookies matches my own experience that the browsers’ “disable 3rd party cookies” option blocks the receiving *and* sending of 3rd party cookies.

Interestingly, I read in most other articles on the same topic that the “disable 3rd party cookies” options blocks only the receiving of 3rd party cookies. This does not match my experience.

I wonder if you know why there is so much misinformation about this??

Thanks.

- Daniel