The Different Types of Internet Cookies Explained

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: January 14, 2022

Scan Your Website's Cookies
The-Different-Types-of-Internet-Cookies-Explained-01

Whether you’re a website owner or internet user, you are probably familiar with cookies — and not the tasty kind you can eat.

Cookies are small text files stored on a device to collect personal data. Most websites contain some type of cookies and are required by laws — such as the EU cookie law — to let you know about it through a cookie banner.

For instance, a cookie could track a user’s items in an online shopping cart or the last page they visited before leaving. Sites read these cookies to give users a more personalized experience, like returning their items to the cart or taking them to their most recently visited page.

Those aren’t the only possibilities cookies offer. You can use them to accomplish various tasks, and not all cookies do the same thing.

Continue reading to learn about the distinction between essential and non-essential cookies, the different types of internet cookies, and supercookies.

Table of Contents
  1. Essential Cookies vs. Non-Essential Cookies
  2. Types of Cookies on a Website
  3. What Are Supercookies?
  4. Wrapping Up

Essential Cookies vs. Non-Essential Cookies

Cookies can be either essential or non-essential, depending on their function. Simply put, essential cookies are necessary for the proper functioning of a website, and non-essential cookies usually are not.

List of Essential Cookies and Their Uses

Essential cookies are placed automatically on your device whenever you access a website or perform specific actions. These cookies are necessary for a website to function correctly.

Some examples of essential cookies that don’t require user consent include:

  • Session cookies: These cookies remember your activities on a website. For example, they keep you logged in to your account as you browse a website.
  • User-input cookies (session-id): Used to keep track of items that the user inputs to your website. For instance, a cookie that remembers the answers to an online form or the items in a customer’s shopping cart.
  • Authentication cookies: Are tracking cookies that work by identifying users through their login credentials. When a website visitor enters their user ID and password (including when using a password manager), these cookies will confirm the user’s identity and “remember” their account information.
  • User-centric security cookies: These cookies detect authentication errors and abuses, such as incorrect login details. For example, when a visitor enters incorrect login credentials, these cookies detect that and keep track of how many incorrect entries get made.
  • Load-balancing cookies: These cookies serve probably the most basic cookie function in that they connect information between a user’s web server and your web server.

List of Non-Essential Cookies and Their Uses

All other cookies that do not meet the definition of essential cookies are considered non-essential. These non-essential cookies can only be placed on a device if the user consents to them.

Some examples of non-essential cookies that require user consent include:

  • Analytics and customization cookies that track user activity in their browsers, allowing website owners to better grasp how their site is being used.
  • Advertising cookies that are used to customize a user’s ad experience on websites based on their browsing history.
  • Social networking tracking cookies that allow users to share content on social media, and help link the activity between a website and a third-party sharing platform

User-led Consent

Some cookies are deployed when a website visitor chooses a site’s settings. For example, your site could include video clips or remember what users have done on previous visits to personalize service content. When a website visitor chooses a particular feature, some cookies would then be stored — this is called feature-led consent or user-led consent.

In these cases, consent could be sought as part of the process by which the user confirms what they want to do or how they want the site to work.

These type of cookies include:

  • Multimedia content player session cookies (flash cookies) are used for the duration of a session to store technical data needed to play back video or audio content (e.g. image quality, network link speed, and buffering parameters).
  • User-interface customization cookies: These are cookies that store user-experience preferences. For example, if a user has selected a preferred color scheme or language, this preference gets saved in a user-interface customization cookie.

First-party multimedia content player cookies would be considered functional — meaning they are not essential for the website use but do offer better website functionality and experience. The same is true for user interface customization cookies.

Why Knowing Your Cookies Is Important

Performing a periodic cookie audit on your website is important because recently, some governments have passed data privacy legislation to protect the privacy of their citizens’ data from non-essential cookies.

For example, the European Economic Area (European Union , Norway, Island, Lichtenstein), UK and Switzerland implemented the General Data Protection Regulation (GDPR), which imposes strict data collection requirements for websites targeting EU citizens directly or indirectly.

These requirements include, among other things, that the website owner informs visitors of cookies and asks for their consent to use them.

Use Termly To Comply With Cookie Requirements

Step 1: Enter your website URL into our cookie scanner below

Step 2: We’ll scan your site and categorize the majority of your cookies

Step 3: We’ll generate your cookie policy & customizable cookie banner

Types of Cookies on a Website

There are several types of internet cookies, each with very different purposes. For example, cookies can be used to track, collect, and store virtually any user data.

Let’s look at all the different types of internet cookies and their uses.

Session Cookies (Essential)

Session cookies are designed to remember your activities on a website. Without these cookies, a website would have no ability to memorize your browsing history. Instead, you would get treated as if you were a unique visitor every time you clicked a link.

You will often encounter session cookies when shopping online. These cookies make it possible for you to check out at any time. If an online shopping site did not use them, your shopping cart would always be empty whenever you began the check-out process.

Essentially, session cookies assist your website navigation by memorizing your actions, and they do not follow you after you close the web page.

First-Party Cookies or Persistent Cookies (Essential)

As opposed to session cookies, these types of cookies on a website are akin to a website’s long-term memory. First-party cookies memorize your settings to ensure the same user experience whenever you revisit a site in the future. Without them, websites would not be able to maintain preferences like menu settings, language, and internal bookmarks for future browsing sessions.

First-party — or persistent — cookies enable you to make those selections one time and have them stay consistent over time.

The vast majority of first-party cookies expire after one to two years. Your browser will delete these cookies if you do not visit the website within their expiration time frame. They can also be removed manually.

Persistent cookies are also commonly used for user authentication. If disabled, a site would never keep you logged in to your account between sessions and would always require you to re-enter your credentials.

Unfortunately, companies can also choose to use first-party cookies to track users. These cookies record data about a user’s browsing history for as long as they are active.

Third-Party Cookies or Tracking Cookies (Non-Essential)

Third-party cookies are more concerning than first-party cookies and are the source of the bad reputation that cookies tend to have. Instead of being created directly by the web page, other websites are responsible for generating these cookies. They are usually linked to advertisements found on websites.

For example, a site with ten advertisements could generate ten cookies, regardless of whether the user clicks on them or not.

Advertisers and analytics companies can use tracking cookies to monitor your browsing habits across the internet. With this data, companies can target you with custom advertisements. These are the pesky and annoying ads that appear on Facebook or other sites you visit that display content relevant to your interests.

Secure Cookies (Non-Essential)

These cookies are not as common as other types of internet cookies. Secure cookies can only be transmitted if the connection is encrypted, which generally means that only HTTPS websites can send them.

Nevertheless, secure cookies are susceptible to being attacked. Once they are on your device, a hacker can overwrite them even from an unsecured connection. Therefore, it is better if they do not store sensitive information.

E-commerce sites usually integrate this type of cookie to ensure safer transactions. Secure cookies are also required to be used by online banking websites for security purposes.

HTTP-Only Cookies (Non-Essential)

Many secure cookies are also HTTP-only cookies. These two work together to reduce a cookie’s susceptibility to a cross-site scripting (XSS) attack.

When there’s an XSS attack, a hacker will inject malware or malicious code into a trusted website. Unfortunately, a browser is unable to distinguish that the script is untrustworthy. Because of this, the script can access browser data related to the site, including cookies.

Fortunately, secure cookies and HTTP-only cookies cannot be accessed or affected by scripting languages, protecting them from such attacks.

Developers created these types of browser cookies to prevent the data stored on them from being stolen or modified by hackers.

Flash Cookies (Non-Essential)

Flash cookies are a type of supercookie, which we will cover later in this article. Developers usually use the Flash plugin to hide these types of internet cookies from being detected by your browser’s cookie management tools.

Because these cookies are available for most browsers, you will not gain many security benefits by using different browsers for different purposes. Like other super cookies, flash cookies can hold 100KB of data compared to only 4KB of data for regular cookies, also known as HTTP cookies.

Zombie Cookies (Non-Essential)

These cookies are very similar to flash cookies. The difference is that zombie cookies can recreate themselves if you delete them. They can do this by having backups stored outside a browser’s cookie folder.

Online games sometimes use zombie cookies to prevent players from cheating. But, unfortunately, hackers can also employ them to install malicious software onto devices.

What Are Supercookies?

As its name suggests, supercookies serve a different and more sinister functionality than regular cookies.

You can take many measures to prevent being tracked by regular cookies. For example, you can clear your browsing data and cookies, block cookies from your browser, and automatically delete cookies following each browsing session. However, these measures will not work with supercookies because they technically are not cookies. They are not stored in your browser like regular cookies.

Internet service providers (ISPs) install supercookies by inserting a unique identifier header (UIDH) into a user’s HTTP connection. Due to their location between the device and the connecting server, users are powerless against them. You cannot delete supercookies because they are not stored on your device, and ad or script blocking software cannot stop them.

Supercookies are very dangerous because they have great potential for causing privacy violations. Most cookies are connected only to one website and cannot be shared. On the contrary, a user’s UIDH can be shared to any website and could contain a plethora of data on a user’s internet habits.

Even more troubling, the Electronic Frontier Foundation (EFF) notes that advertisers can use supercookies to recreate deleted cookies and link them to new ones on a user’s device. The EFF also asserts that a UIDH can be attached to outgoing app data.

All of this information taken together can create a very detailed picture of a user’s internet history.

Supercookies usually contain a user’s metadata. Metadata is information about a user’s request, like the site they are attempting to visit and the time of their attempt. However, supercookies can also include other types of data.

Wrapping Up

Cookies are a very integral part of the internet. Because of this, it’s very important to understand the different types of internet cookies. Some cookies are essential, and many websites would not function without them. These cookies, like session cookies and first-party cookies, can be helpful to internet users.

On the other hand, non-essential cookies are more troublesome. Most non-essential cookies are primarily used for analytics or advertising. Third-party cookies are the most common type of non-essential cookie.

The most disturbing types of computer cookies are known as supercookies. These cookies can hide in plugins, like flash cookies. They can be challenging, if not impossible, to delete. As a result, they present a very formidable threat to internet privacy.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.