How Cookies Work - First-Party vs Third-Party Explained

How Cookies Work - The Technology That Gives the Web Memory

HTTP is inherently a stateless protocol. Every time a server receives a request, it has no built-in way to know who sent it or how many times that person has visited. In 1994, Netscape engineer Lou Montulli devised cookies to solve this fundamental problem.

A cookie is a small piece of text data that a server sends to the browser via the Set-Cookie header. The browser then automatically attaches that data as a Cookie header on subsequent requests to the same domain. This mechanism enables session persistence - maintaining login state, preserving shopping cart contents, and remembering language preferences.

While cookies are an essential web technology, they are also widely used as a tracking mechanism, making them a focal point of global privacy regulation.

First-Party Cookies vs. Third-Party Cookies

Cookies are classified into two types based on the domain that issues them. This distinction lies at the heart of the privacy debate.

For example, when you visit shop.example.com, cookies set by that domain are first-party. However, cookies set by an embedded ad network like ads.tracker.com are third-party. Because ad networks distribute scripts across millions of sites, they can build a comprehensive profile of which sites a user visits and in what order.

Safari has blocked third-party cookies by default since ITP (Intelligent Tracking Prevention) launched in 2017. Firefox followed with ETP (Enhanced Tracking Protection). Chrome had long announced plans to deprecate third-party cookies but reversed course in 2024, opting instead to let users choose whether to allow them.

Session Cookies vs. Persistent Cookies

Cookies are also classified by their lifespan.

Session Cookies

Cookies without an Expires or Max-Age attribute. They are automatically deleted when the browser is closed. Session cookies are used for login session management and temporary form data retention. From a security standpoint, they are safer than persistent cookies because closing the browser eliminates the cookie, reducing risk on shared computers.

Persistent Cookies

Cookies with an Expires (absolute expiration date) or Max-Age (lifetime in seconds) attribute. They survive browser restarts and persist until the specified expiration. The "Keep me logged in" checkbox works by issuing a long-lived persistent cookie instead of a session cookie.

Since 2023, Chrome caps persistent cookie lifetimes at 400 days. Previously, sites could set expiration dates years into the future, but the cap was introduced to curb long-term tracking.

The SameSite Attribute - A Key Defense Against CSRF

The SameSite attribute controls whether a cookie is sent with cross-site requests. Introduced in 2016 as a countermeasure against CSRF (Cross-Site Request Forgery) attacks, it is now supported by all major browsers.

Since 2020, Chrome treats cookies without an explicit SameSite attribute as Lax. This means cookies are no longer sent with cross-site requests unless the developer explicitly sets SameSite=None; Secure. This change impacted many web applications, particularly iframe-based payment forms and SSO (Single Sign-On) implementations that relied on cross-site cookie transmission.

To learn the fundamentals of web technologies including cookie security attributes, web development reference books are a helpful starting point.

GDPR and Cookie Consent - Why Consent Banners Appear

The EU's GDPR (General Data Protection Regulation, effective 2018) and the ePrivacy Directive require websites to obtain explicit consent before setting cookies for EU users. This is the reason behind the cookie consent banners that appear on virtually every website.

GDPR's consent requirements are stringent.

• Prior consent (opt-in): Non-essential cookies must not be set until the user actively consents
• Clear choices: A "Reject All" button must be presented with equal prominence to "Accept All"
• Granular selection: Users must be able to consent to or reject each cookie category (analytics, advertising, functional) individually
• Easy withdrawal: Consent must be revocable at any time with the same ease as granting it
• Record keeping: Organizations must maintain records of who consented, when, and to what

Penalties for non-compliance can reach 4% of global annual revenue or 20 million euros, whichever is higher. In 2022, France's data protection authority CNIL fined Google 150 million euros and Facebook 60 million euros for cookie consent violations.

Why Websites Ask for Cookie Consent explores the regulatory differences across countries in greater detail. See also Ad Tracking Protection for practical defense strategies.

What Happens When You Delete Cookies

Clearing cookies from your browser settings triggers the following effects.

• Login sessions are reset: You will be logged out of every website and must re-enter credentials
• Shopping carts are emptied: Items saved in e-commerce carts are lost
• Site preferences revert to defaults: Dark mode, language selection, display density, and other customizations reset
• Cookie consent records are erased: Consent banners reappear on every site
• Tracking profiles are temporarily severed: Ad network profiles lose continuity, though browser fingerprinting may re-link your identity

Rather than deleting all cookies, a more practical balance between convenience and privacy is to block third-party cookies while keeping first-party cookies intact. Firefox's Enhanced Tracking Protection and Safari's ITP take exactly this approach.

IP Checker lets you review your browser's cookie configuration as part of its security assessment. Check periodically to ensure unnecessary cookies are not accumulating.