The Hidden Web Behind Every Click: Why You Should Care About Cookies

Written by Associate Professor (Dr) Sheeba Armoogum, University of Mauritius

Every time you browse the internet, an invisible trail of your online activities is being meticulously recorded. It's not just about the specific websites you visit or the links you click. Behind the scenes, cookies and tiny data files silently monitor, store, and transmit intricate details about your digital footprint. Whether you're aware of it or not, these cookies power the seamless, personalised digital experiences you've come to expect, keeping you logged in and remembering your preferences.

With just a simple click of "Accept Cookies", you unknowingly grant websites permission to track, store, and share vast information about your behaviour, preferences, and activities across the web. But what exactly are cookies, and why should you care about them? Cookies are the glue that holds together your online experience, ensuring you stay logged in, your shopping cart stays full, and your preferred settings are remembered from one visit to the next. They are the unsung heroes enabling the seamless, personalised web experience we've all expected.

Hackers absolutely love cookies. In the wrong hands, these innocuous data files can become a powerful weapon for cybercriminals, enabling attacks like session hijacking, Cross-Site Scripting, and Cross-Site Request Forgery. These exploits target and manipulate the very mechanisms that make cookies useful, turning them into vulnerabilities that can be exploited for nefarious purposes.

In this article, we'll explore cookies, their real purpose, why they're essential to the modern web, how attackers can exploit them, and, most importantly, how to protect yourself in the age of rising cyber threats. It's time to take control of your digital footprint and learn how to stay secure in 2024.

WHAT ARE COOKIES?

Cookies are small data files that websites store on your computer or mobile device. These unassuming files are crucial in the modern web, enabling a seamless and personalised browsing experience. Cookies contain information about your activities, such as login credentials, preferences, and shopping cart contents. Each time you visit a website, your browser sends these cookies back to the server, allowing the site to recognise you and recall your past actions or customisations.

Without cookies, the web would function much more disconnectedly and inconveniently. Imagine having to log in repeatedly or re-add items to your shopping cart every time you navigate to a new page on a website. Cookies are the glue that holds your online experience together, ensuring continuity and enabling features like personalisation. They simplify and streamline your interactions, creating a smooth, tailored experience that has become the expectation for modern web users.

Cookies are an essential component of the web's infrastructure, powering the seamless and personalised digital experiences we have come to expect. They are the invisible yet indispensable foundation that allows websites to recognise you, maintain your session information, and adapt to your preferences, creating a cohesive and efficient online journey.

WHAT DO COOKIES DO?

Cookies have several key functions:?

1.???? Session Management

Cookies play a crucial role in maintaining your session state as you navigate across different pages on a website. These small data files allow the website to recognise and keep you logged in by storing session identifiers, creating a seamless and continuous browsing experience. With cookies, you can authenticate yourself manually on every page you visit, significantly disrupting the flow and convenience of your online interactions. Cookies act as the invisible bridge that preserves your login status, ensuring you can effortlessly move between various sections of a website without needing to re-enter your credentials repeatedly.

2.???? Personalisation

Cookies are crucial in storing and retrieving your personal preferences on websites. These small data files act as a bridge between your browsing sessions, seamlessly applying your customised settings whenever you revisit a website. For example, cookies can remember your preferred language, visual themes, or display options, ensuring a consistent and tailored experience across your online interactions. This personalisation feature enhances your overall satisfaction and efficiency, as you no longer need to manually adjust these preferences when accessing a familiar website. By retaining and automatically applying your customised settings, cookies create a more streamlined and user-friendly digital environment that caters to your needs and preferences.

3.???? Tracking and Analytics

Websites use cookies to monitor and extensively analyse user behaviour across their platform. These small data files track which pages you visit, how long you spend on each page and the paths you navigate through the website. By collecting and studying this comprehensive data, websites can gain valuable insights that inform their ongoing optimisation efforts. This allows them to continuously refine and enhance the user experience, improving content, navigation, and overall functionality to meet the needs and preferences of their visitors. The wealth of behavioural data gathered through cookies empowers websites to make data-driven decisions that drive engagement, retention, and overall customer satisfaction.

4.???? Shopping Cart Management?

On e-commerce websites, cookies play a crucial role in maintaining the contents of your virtual shopping cart. These small data files stored on your device remember the products you've selected and added to your cart, even if you close your web browser or navigate away from the site. This seamless persistence allows you to continue browsing and shopping without the frustration of losing items you've painstakingly curated.

?5.???? Targeted Advertising

Advertisers also extensively use cookies to track and monitor user activity across multiple websites. By collecting comprehensive data on browsing behaviour, browsing history, and user interests, these small data files enable advertisers to build detailed user profiles. This wealth of information allows advertisers to leverage highly targeted, personalised advertisements tailored to match individual users' preferences and interests. This targeted advertising approach allows advertisers to maximise the relevance and impact of their marketing campaigns, delivering ads that are more likely to resonate with and engage the intended audience.

However, this extensive tracking and profiling of user activity through cookies also raises significant privacy concerns, as users may need to be made aware of the depth and scope of the data being collected about their online behaviours.

TYPES OF COOKIES

There are several types of cookies, each serving a different purpose:

Session Cookies

These temporary cookies are created and utilised only during a single browsing session on a website. They are designed to track and maintain your online activities and interactions within that specific session. For example, session cookies allow you to stay logged into your account and seamlessly navigate different website pages without repeatedly re-authenticating yourself. Once you close your web browser, these session-specific cookies are automatically erased, as they no longer serve a purpose beyond the current browsing session. Their transient nature is crucial, as they do not persist on your device after the browser session ends.

Persistent Cookies

Unlike temporary session cookies, which expire when the browser session ends, persistent cookies remain on your device even after you close your browser. They have an expiration date set by the website, allowing them to persist across multiple browsing sessions. Persistent cookies are designed to remember and store user preferences, login credentials, and other personal data over an extended period.

This persistent nature benefits features like "Remember Me" functions, which allow users to stay logged in to their accounts even after closing and reopening their browser. By retaining the user's login details, persistent cookies provide a seamless and convenient experience, eliminating the need to manually re-authenticate on every visit. This enhances user efficiency and satisfaction, as users no longer have to repeatedly enter their credentials to access their accounts or resume their previous activities on the website.

?First-Party Cookies

These first-party cookies are set directly by the website you're visiting. They play a crucial role in enhancing the user experience by enabling core functionality on the website. First-party cookies are primarily used to maintain your login session, ensuring you remain authenticated as you navigate the site's various pages. This allows you to seamlessly access your account and avoid the need to re-enter your credentials repeatedly.

First-party cookies help websites remember the items you've added to your shopping cart, even if you leave the site and return later. This persistent storage of your cart contents provides a seamless and convenient shopping experience, as you don't have to start from scratch when you resume your browsing session. These first-party cookies are essential for creating a user-friendly and effortless interaction with the website, catering to the needs and expectations of modern online consumers.

Third-Party Cookies

These cookies are set by domains other than the website you're visiting. Typically used by advertisers, data brokers, and social media platforms, third-party cookies track users across multiple websites, building detailed profiles of their online behaviour, interests, and browsing habits. This extensive data collection allows these third-party entities to deliver highly targeted, personalised advertisements tailored to each user. While this customised advertising approach can increase the relevance and effectiveness of marketing campaigns, it also raises significant privacy concerns, as many users are unaware of the depth and scope of the data being collected about their online activities through these third-party cookies.

WHY ARE COOKIES NECESSARY?

Cookies are fundamental to making the web work as seamlessly as it does today. Websites use cookies for a variety of important reasons:

1. User Authentication: Without cookies, websites wouldn’t be able to recognize you once you move to another page. Cookies store your login session so you don’t have to re-enter your credentials on every page or every visit.
2. Personalized Experience: Cookies help websites remember your preferences, ensuring a more personalized experience on subsequent visits. For instance, cookies can store your preferred language or theme, eliminating the need to reset those options every time you visit.
3. Website Performance and Optimization: Analytics cookies track how users interact with a website. This data allows developers to improve website design, navigation, and content placement to enhance user experience.
4. E-commerce and Shopping: In e-commerce, cookies enable essential features like saving shopping carts between sessions. They also remember which products you've viewed, helping to provide relevant suggestions or product reminders.

CAN ATTACKERS USE COOKIES?

Unfortunately, while cookies are designed to enhance user experience, attackers can exploit them in various ways, posing significant privacy and security risks. Malicious use of cookies include:

1. Session Hijacking

In a?session hijacking?attack, an attacker steals a user’s session cookie containing information like login tokens. Once the attacker obtains this cookie, they can impersonate the user and gain unauthorized access to their account without their login credentials.

How session hijacking works: Session hijacking is commonly executed through?Man-In-The-Middle (MITM)?attacks on unsecured (HTTP) connections, where attackers intercept the cookies as they travel between the browser and the server. This is why using HTTPS (encrypted connections) is crucial. If a user logs into an unsecured public Wi-Fi network account, an attacker could capture their session cookie and use it to take over their account.

2. Cross-Site Scripting (XSS)

An XSS attack injects a malicious script into a legitimate website. When the user visits the site, the script executes in their browser and can steal cookies, including session cookies, which are then sent to the attacker.

How Cross-Site Scripting (XSS) works: Attackers typically inject malicious code into forms or comment sections of vulnerable websites. When users load the page, the script activates and sends the stolen cookies to the attacker’s server. An attacker could inject malicious JavaScript that steals session cookies if a vulnerable website allows users to input and display HTML content.

3. Cross-Site Request Forgery (CSRF)

In a?CSRF attack, an attacker tricks a user into making an unwanted request to a website where the user is already authenticated. Since the user’s cookies are automatically sent with every request, the attacker can make the site perform actions (e.g., transferring money or changing account settings) on behalf of the user.

How CSRF attack works: Attackers typically embed malicious links or forms on other websites or in emails. When the user unknowingly clicks on the link, it sends a request to the targeted website and the user’s session cookies, allowing the attacker to execute actions without the user’s knowledge. If a user is logged into their bank account and clicks on a malicious link, it could trigger a money transfer without the user’s consent.

4. Cookie Poisoning

In a?cookie poisoning?attack, an attacker modifies the contents of a cookie to inject malicious data or gain unauthorized access. This can lead to unauthorized actions, privilege escalation, or data theft.

How cookie poisoning works: Some websites store sensitive data (like user roles or permissions) in cookies. If these cookies are not adequately secured, attackers can modify their contents to escalate privileges (e.g., changing their role from a regular user to an admin) and gain access to restricted website areas. If a website stores user roles in cookies (e.g.,?userRole=basicUser), an attacker might modify this cookie to?userRole=admin?and gain unauthorized access to admin features.

HOW TO PROTECT AGAINST COOKIE-BASED ATTACKS -

FOR USER: DETAILED STEPS TO SECURE YOUR COOKIES

Step 1: Enable Secure Browsing (HTTPS Only Mode)

Step 2: Block Cross-Site Tracking Cookies

Step 3: Use Secure and Privacy-Focused Browsers

Step 4: Regularly Delete Cookies and Cache Automatically

Step 5: Avoid Using Public Wi-Fi or Use a VPN

Step 6: Use Browser Sandbox Modes for Sensitive Accounts

Step 7: Implement Passwordless Logins (FIDO2/WebAuthn)

FOR DEVELOPERS: DETAILED STEPS TO SECURE COOKIES

Step 1: Use Secure and HttpOnly Flags

Step 2: Implement the SameSite Attribute for CSRF Protection

Step 3: Adopt Modern Session Management Techniques

Step 4: Encrypt and Sign Cookies (Sealed Cookies)

Step 5: Implement Client-Side Integrity Protection

Step 6: Isolate Cookies with First-Party Isolation

As we continue to navigate the evolving digital landscape, understanding cookies is more than just a technical curiosity—it’s a fundamental aspect of safeguarding your online presence. These small data files, while vital to the convenience we enjoy, also hold the potential for exploitation. By becoming aware of how cookies work, their risks, and the security measures you can take, you empower yourself to take control of your digital privacy. Whether you’re a casual user or a developer building web experiences, the time to secure your cookies is now. In 2024 and beyond, staying informed and proactive about cookie security is one of the simplest yet most effective ways to protect your digital identity.

Remember, it’s not just about accepting cookies but understanding them.

"In the vast digital landscape, cookies are the silent architects of your online experience—building convenience and connection while quietly holding the keys to your privacy. But in the wrong hands, these tiny data files can unlock doors you never intended to open."--Dr. Sheeba Armoogum

Disclaimer: The information provided in this article is for educational and awareness purposes only.