Skip to main content
  1. blog/

The Developer's Guide to Cookies 🍪

··4 mins

Overview #

Cookies remain a fundamental part of the web, playing a critical role in user experience, security, and personalization. However, they are also a major point of concern when it comes to privacy and regulatory compliance.

Given the increasing importance of privacy laws and browser security updates, it’s crucial for web developers to understand not only how cookies work but also how to manage them in a compliant and secure manner.

History #

Cookies were invented by Netscape in the mid-90’s as a way to store some user information in the browser rather than requiring the web server to store it.

Why do we need cookies? #

HTTP is a stateless protocol which means it remembers nothing between different request/response exchanges. The server handles each request as a separate distinct connection. The web server doesn’t remember if you logged in already, set a preferred language, etc.

The use cases for cookies have evolved over the past two decades and they are now commonly used for:

  • Session Management – Keeping users logged in as they navigate between pages.
  • Shopping Carts – Remembering items added to a cart.
  • Personalization – Saving user preferences such as language or theme settings.
  • Tracking and Analytics – Collecting data on user behavior for website performance and advertising.

A cookie is a simple text file stored by the browser that contains the following attributes:

  • Name-value pair – The actual data being stored (e.g., session_id=xyz123).
  • Expiration date – Defines the cookie’s lifetime. If not set, the cookie is a session cookie and is deleted when the browser closes.
  • Domain and path – Specifies which website or part of the site can access the cookie.
  • Secure flag (optional) – Ensures the cookie is only transmitted over HTTPS.
  • HttpOnly flag (optional) – Prevents JavaScript from accessing, creating, or modifying the cookie, mitigating XSS attacks.
  • SameSite attribute (optional, but highly recommended) – Controls whether the cookie can be sent with cross-site requests, helping prevent CSRF attacks.

The Evolution of Cookies: Privacy and Regulations #

In recent years, cookies have been at the center of privacy concerns, leading to regulatory changes and browser restrictions:

Privacy Laws Affecting Cookies #

  • GDPR (General Data Protection Regulation - EU) – Requires explicit user consent before setting non-essential cookies.
  • CCPA (California Consumer Privacy Act) – Grants users the right to opt out of data tracking.
  • ePrivacy Directive (EU Cookie Law) – Requires websites to obtain consent before placing tracking cookies.

Browser Updates and the End of Third-Party Cookies #

  • Google Chrome (phasing out third-party cookies by 2025) – The Privacy Sandbox initiative aims to replace tracking cookies with more privacy-conscious alternatives like Topics API and FLoC (Federated Learning of Cohorts).

  • Firefox and Safari – Have already implemented stricter cookie policies, blocking third-party cookies by default.

  • SameSite Default Policy – Most modern browsers now default to SameSite=Lax to prevent cross-site tracking.

How Cookies Are Created and Sent #

Cookies are typically created using the Set-Cookie HTTP header in the server response:

HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session_id=xyz123; Path=/; HttpOnly; Secure; SameSite=Lax; Expires=Wed, 21 Feb 2026 12:00:00 GMT

Once set, the browser includes the cookie in subsequent requests:

GET /dashboard HTTP/2
Host: example.com
Cookie: session_id=xyz123

Managing Cookies with JavaScript #

Developers can use JavaScript to create, read, and delete cookies via document.cookie:

document.cookie = "username=JohnDoe; expires=Fri, 31 Dec 2025 12:00:00 UTC; path=/; Secure";

Note that HttpOnly cookies can only be set by the server through HTTP headers - they cannot be created, accessed, or modified via JavaScript at all. This is a security feature that helps protect against XSS attacks.

Types of Cookies #

Session Cookies #

  • Do not have an expiration date.
  • Stored in memory and deleted when the browser closes.
  • Common names: PHPSESSID, JSESSIONID, ASP.NET_SessionId.

Persistent Cookies #

  • Contain an expiration date and remain stored across sessions.
  • Used for remembering logins and user preferences.

First-Party vs. Third-Party Cookies #

  • First-party cookies – Set by the domain the user is visiting.

  • Third-party cookies – Set by external domains (e.g., ad networks, analytics providers). These are being phased out due to privacy concerns.

Alternatives to Cookies #

With increasing privacy restrictions, developers are exploring alternatives:

  • LocalStorage and SessionStorage – Browser-based storage mechanisms that provide better security but lack cross-session persistence.

  • Server-Side Sessions – Store session data on the server while using a token-based identifier.

  • JWT (JSON Web Tokens) – Used in authentication for stateless session management.

  • Google’s Privacy Sandbox APIs – Proposed alternatives to third-party cookies for tracking and ad targeting.

Conclusion #

Cookies continue to be a foundational technology for web applications, but developers must stay up to date with evolving privacy regulations and browser changes. Moving forward, first-party cookies and privacy-conscious alternatives will play a crucial role in maintaining a balance between user experience and compliance.

By following best practices—such as using SameSite, Secure, and HttpOnly flags—developers can ensure their applications handle cookies securely and responsibly.