Srikanth Badavath
cookies set every day
1 The Puzzle
The next morning you open a new browser window, navigate to amazon.com, and — without typing a single character — you are still logged in. Your cart still has those three items. Your dark mode preference is still set.
HTTP, the protocol your browser uses to talk to servers, is completely stateless. Every single request is supposed to be a fresh conversation with no memory of what happened before. So how, exactly, does Amazon remember you across an entire browser restart?
The answer is one of the most quietly powerful mechanisms in all of web technology: the HTTP cookie.
2 What Is a Cookie?
A cookie is a small piece of text — typically fewer than 4 KB — that a web server tells your browser to store on your computer. The next time you visit that server, your browser automatically sends the cookie back. That is literally the entire mechanism. The server sets it; the browser stores it; the browser returns it on every subsequent request.
The magic is in the combination of three HTTP messages. Here is the exact exchange that happens when you log into a website for the first time:
a3f9k2mXbc21 belongs to user 49284. When the browser sends that ID, the server does the lookup. The cookie itself is just a ticket — the data lives on the server.3 Browser Cookie Storage (DevTools Simulation)
You can inspect every cookie your browser has stored for any website by opening Chrome DevTools, clicking the Application tab, and expanding Cookies. Here is a simulation of what that looks like for three popular sites:
| Name | Value | Domain | Expires | Size |
|---|---|---|---|---|
| Click a site button above to inspect its cookies | ||||
4 Cookies Do More Than Login
Most people associate cookies with staying logged in — but that is just one of three major jobs a cookie can do. Any persistent state that the server needs to remember about you, without requiring you to be authenticated, can be stored in a cookie.
5 Cookie Anatomy
When a server sends a Set-Cookie header, it is not just a name and a value — it is a semicolon-delimited string of attributes that define exactly how the cookie behaves. Click any segment below to learn what it does:
6 Third-Party Cookies & Cross-Site Tracking
First-party cookies are set by the website you are actually visiting — amazon.com setting a cookie when you are on amazon.com. But there is a second kind: third-party cookies, set by a domain that is not the site you are on. This is where tracking comes in.
| First-Party Cookie | Third-Party Cookie | |
|---|---|---|
| Set by | The site you are on (amazon.com on amazon.com) | A different domain embedded on the page (ads.tracker.com on amazon.com) |
| Purpose | Login, cart, preferences, session state | Cross-site tracking, retargeting ads, analytics aggregation |
| Privacy impact | Low — scoped to one site | High — builds a profile across thousands of sites |
| Browser support | Fully supported everywhere | Being phased out — Safari/Firefox already block by default; Chrome follows |
7 Session Cookies vs Persistent Cookies
Not all cookies are equal in lifespan. The two fundamental types differ in one critical way: whether they survive a browser restart.
Expires attributeExpires attributeMax-Age attribute. The browser writes it to disk. It survives tab closes, browser restarts, even system reboots — until the expiry date passes or you manually delete it. The Amazon "stay logged in" checkbox sets a persistent cookie that expires years from now.
8 Cookie Security Flags
A cookie without security attributes is a security vulnerability waiting to be exploited. Modern cookies carry three flags that each block a different attack vector. Toggle them off below to see what attack becomes possible:
document.cookiedocument.cookie to steal your session token. The cookie is invisible to the JavaScript runtime entirely — it only travels via HTTP headers.When OFF: Any JS on the page — including injected malicious code — can read
document.cookie and exfiltrate your session ID to a remote server, instantly logging the attacker in as you.
http:// instead of https://, the session cookie stays home.When OFF: On a public Wi-Fi network, an attacker running a man-in-the-middle sniffer can intercept unencrypted HTTP traffic and read the cookie value directly from the request headers. Session hijacking accomplished without breaking any encryption.
evil.com cannot silently make your browser fire a state-changing request to bank.com carrying your session cookie.When OFF: Cross-Site Request Forgery (CSRF) becomes trivially possible. A crafted link or invisible
<img> tag on an attacker's page can trigger authenticated actions on your behalf — password changes, bank transfers, profile edits — using your stored session cookie.
9 The Full Cookie Lifecycle
Here is a complete picture of how a cookie is born, stored, and used across every request the browser makes:
flowchart TD
A([User visits website]) --> B[Browser sends HTTP request]
B --> C{Cookie header present?}
C -->|No cookie| D[Server creates new session]
D --> E[Server responds with Set-Cookie header]
E --> F[Browser stores cookie on disk or in memory]
F --> G[User navigates to another page]
G --> H[Browser automatically includes Cookie header]
H --> I{Server validates cookie}
I -->|Valid session| J[Load user data and serve response]
I -->|Expired or invalid| K[Reject and redirect to login]
J --> G
C -->|Cookie exists| I
K --> A
10 Frequently Asked Questions
First-party cookies are not inherently dangerous — they are just a storage mechanism. The security concerns arise from misconfiguration (missing HttpOnly, Secure, or SameSite flags), from third-party tracking cookies that build surveillance profiles without your awareness, and from cookie theft via XSS attacks. A well-configured cookie from a reputable first-party site is no more dangerous than any other stored data on your computer. The broader privacy concern is not any single cookie, but the ecosystem of third-party trackers that aggregate data across thousands of sites to profile you without meaningful consent.
Yes — every major browser provides a straightforward way to delete cookies. In Chrome: Settings → Privacy and Security → Clear Browsing Data. In Firefox: Preferences → Privacy & Security → Clear Data. You can delete all cookies at once, or use DevTools (F12 → Application → Cookies) to delete specific cookies from specific sites. The consequence of deleting cookies is that you will be logged out of every site, your cart will be emptied, and your preferences will reset. Browser extensions like Cookie AutoDelete can automatically purge cookies from sites you close — a good middle ground for privacy without constant manual effort.
The EU's General Data Protection Regulation (GDPR), effective May 2018, and the earlier ePrivacy Directive (the "Cookie Law") require websites to obtain informed consent before setting non-essential cookies — specifically analytics and advertising cookies. Strictly necessary cookies (those required for the site to function, like login session cookies) are exempt. The law applies to any site accessible to EU residents, which is why the consent banners appear globally. The California Consumer Privacy Act (CCPA) imposes similar requirements in the US. The practical result is those ubiquitous cookie consent banners, which have been widely criticized for dark patterns that make rejection deliberately difficult.
Both cookies and localStorage store data in the browser, but they are fundamentally different in how they work. Cookies are automatically sent to the server with every HTTP request — that is their defining feature. localStorage data never leaves the browser; it is only accessible to JavaScript running on that page. Cookies are limited to about 4 KB; localStorage allows up to 5–10 MB. Cookies can be configured with security attributes like HttpOnly and Secure; localStorage has no equivalent flags, so it is always accessible to JavaScript (making it unsuitable for session tokens). Cookies were designed for server communication; localStorage was designed for client-side storage of application state that the server does not need.
First-party cookies are not going anywhere — they are fundamental to how the web maintains state. What is being phased out are third-party cookies: Safari (since ITP in 2017) and Firefox (since 2019) block them by default. Google Chrome announced the Privacy Sandbox initiative as a replacement, proposing APIs like the Topics API to enable interest-based advertising without individual cross-site tracking. After several delays, Chrome began restricting third-party cookies in 2024. The advertising industry is scrambling to adapt with alternatives like server-side tracking, first-party data strategies, and contextual advertising. The death of the third-party cookie does not end tracking — it just forces the industry to find more privacy-respecting (or more cleverly hidden) mechanisms.
Want to understand more about web security?
Cookies are one piece of the modern web security stack. The same browser that stores your session cookie also enforces TLS encryption, handles end-to-end encrypted messages, and processes one-time passwords. Keep reading: