You've successfully subscribed to Lambda Stories
Great! Next, complete checkout for full access to Lambda Stories
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Accepting Cookies: A Treat or Danger?

Cyril Darko

“We use cookies to make your experience on our website better. By using and further navigating this website you accept this.” We see this or similar everyday when browsing the web but how do we react to it? There are terms and conditions associated with cookies but I doubt majority would read that. Undoubtedly, it is designed specifically to be boring yet has important information (from the super cool to the ‘go wrongs’).

So should we always accept or decline cookies? Well, it depends. To understand cookies better, we must do a quick dive into HTTP (Hypertext Transfer Protocol).

A Quick Dive into HTTP

HTTP is an application protocol in the application layer of the networking stack that is mainly used to transfer hypermedia (videos, photos, music, web pages, etc) over the internet that allow users to communicate data or information on the world wide web. It is by this medium of transportation that you are able to send files over the internet to your friends. However, HTTP is a stateless protocol, which means, there’s no state that is being kept between the browser (client) and server (host providing web content). So each new request (links you click to different pages) even from the same browser knows nothing about a previous request that was made. Here’s a simple analogy; let’s imagine HTTP as a transportation system that knows only about present trips ongoing but nothing about past trips – does not keep record of trips and is not accountable for any. Hence when the user makes a request, he will be treated as unknown on all subsequent requests. This means whenever you log in on site, you will have to continuously log in over and over again on any page that requires authorization. But wait, log in credentials again? Yes! Not so good user experience. That is where cookies and sessions come to the rescue – keeping state.

Basic Idea of Keeping State – Cookies and Sessions

Quality user experience is paramount to web developers. This is very crucial for the success of every company whose existence depends mainly on the web. Previously we saw an example of how a user would have to log in always on a new page because HTTP is a stateless protocol, treating each request as an independent transaction that knows nothing from previous requests. Since there’s no way within HTTP to remember a user’s identity from page to page, web developers use sessions (connection between the browser and server). The idea is that, you have a cookie on the browser then you have a session on the server and there’s this connection that is being kept. Cookies are small pieces of text placed on the user’s browser and they persist from one page to the other. The persistent nature makes it possible to store information such as user id that is used by the application or server to retrieve the logged-in user from the database so that users won’t have to always provide log in credentials at authorization points. With this, we can say there’s a state being kept between the browser and server.

This idea has evolved and developed into many types of cookies we see these days but the fundamental idea is the same throughout. Our coverage won’t be exhaustive since new things pop up everyday but we will only keep up to date.

Why do I keep getting these cookie messages

When you log into a website with your credentials, session on the server gives you a cookie which represents you. Since cookies hold your personal data, it acts as an identification card. So a law was passed by EU law on data protection and privacy called GDPR (General Data Protection Regulation) which was implemented on 25th May, 2018. The law forces developers or site owners to seek explicit consent from users to collect and process and their personal data. Failure to comply, or any organisation in breach of the GDPR could face a fine and in most cases, fined up to 4% of the company's annual turnover.

Should I block third-party cookies?

If a cookie message pops up seeking your consent to allow third-party cookies, it is advisable to decline if you don’t want to read the cookie policy. Accepting this cookie gives the site rights to sell your browsing behavior to other information-thirsty websites that use this information to build personalized profiles of you. But if you block third-party cookie in the browser settings, all cookies and site data from other sites will be blocked. So the best option will be to block cookies from certain sites you don't trust or if prompted by the browser that an attacker might be using the site to collect personal information. Also, read browser user manual to know how to go about it.

What happens if you don’t accept cookies?

Obviously, user experience is going to be very poor. Imagine shopping online and keeping items in your cart. Upon every selection you make, the previous item gets missing because HTTP knows nothing about previous requests and selections and in addition, you are also going to get the persistent log in prompts at authorization points because no state is kept.

The Big Question: Should I accept cookies?

Well again, it depends. First, because so many websites rely on cookies to provide optimum user experience, I would recommend you allow cookies on your personal computer. Also you have the power to limit what cookie end up on your computer. If you are using a public computer at a cafe or anywhere, make sure not to check the Remember me checkbox as this will create a permanent cookie that will persist for a very long time (default is mostly 20 years) and whenever someone opens the website, he/she will be logged in as you. By nature, cookies are semi-permanent, they expire when you close the browser unless you checked remember me. So the only way an attacker can penetrate is by gaining physical access to a machine with a logged-in user.

Cyril Darko

Full-stack web development, Technology, Entrepreneurship and Environmental Science.