Cookies are everywhere on the internet. Although they can’t be eaten or baked, they are one of the core pillars in building the foundation of the modern internet and HTTP.
HTTP cookies, also known as web cookies or browser cookies, are small pieces of data that are stored in a user’s web browser while the user is browsing a website. There are several types of cookies that are used for different purposes:
- Session cookies: These cookies are temporary cookies that are only stored in the browser until the user closes the browser. They are used to store information that is needed across multiple pages on a website, such as user preferences or items in a shopping cart.
- Persistent cookies: These cookies are stored in the browser for a longer period of time, even after the user closes the browser. They are used to track a user’s browsing activity over an extended period of time, such as remembering a user’s login credentials or tracking their online activity for marketing purposes.
- Third-party cookies: These cookies are placed by a domain other than the website the user is visiting. They are often used to track a user’s online activity across multiple websites for advertising purposes.
- Secure cookies: These cookies are encrypted and can only be accessed over an encrypted connection (HTTPS). They are used to store sensitive information, such as login credentials.
- HttpOnly cookies: These cookies are not accessible to client-side scripts and can only be accessed via the HTTP protocol. They are used to prevent cross-site scripting (XSS) attacks.
First-party cookies are originated from the same domain, ie the website that you are currently visiting. Third-party cookies are set by a domain other than the one that you are visiting. Third-party cookies are typically used for online advertising and tracking purposes.
Same Site Attributes
Under HTTP, every cookie should contain a SameSite attribute where we could tell the browser whether it should store the cookie or not. The SameSite attribute is used to prevent cross-site request forgery (CSRF) attacks by limiting the scope of the cookie to a specific site.
Lax
The lax value allows the cookie to be sent with top-level navigations, but will not be sent if the user is navigating to a different site. This can be useful for scenarios where the cookie needs to be available for some cross-site requests, but not all.
In other words, cookies are NOT sent on normal cross-site subrequests (for example to load images or frames into a third-party site), but are sent when a user is navigating to the origin site, ie clicking a link on a third-party site that will be redirected to your website.
CSRF Prevention with Lax
Now imagine that a user visits a malicious website. The website could have a malicious iframe that sends a form request to the first site where the user was logged in. However, since the form request is being sent from an iframe and not from a first-party script, the browser will not include the session_id cookie with the request. As a result, the server will not be able to authenticate the request and will not process it, protecting the user from cross-site request forgery (CSRF) attacks.
Strict
The strict value specifies that the cookie should only be sent with same-site requests, and will not be sent with top-level navigations or cross-site requests. This can be used to provide a higher level of security for sensitive cookies.
Strict mode cookie, while providing a high level of security to protect users against CSRF attacks, it also presents some limitation on functionality, in cases where the website uses third-party scripts or resources that need to have access to the cookies.
HttpOnly
HttpOnly cookies are a type of cookie that is not accessible to client-side scripts. They can only be accessed via the HTTP protocol, and are used to prevent cross-site scripting (XSS) attacks.
By setting the HttpOnly flag on a cookie, you can help to protect against XSS attacks by preventing the cookie from being accessed by client-side scripts. This can help to prevent attackers from stealing the cookie and using it to gain unauthorized access to the site.
Why do we need to accept cookies on different websites?
Websites use cookies to personalize the user experience, keep users logged in, remember user preferences, and track user activity on the site. Some websites heavily utilise cookies for advertising or analytics purposes and may seem to be an invasion of privacy to a lot of people.
TLDR; the Facebook/Cambridge Analytica scandal gives rise to the enforcement of GDPR. GDPR requires websites that serve EU and EEA visitors to display an affirmative consent form.
The Facebook/Cambridge Analytica Scandal
The Cambridge Analytica scandal was a data privacy scandal that came to light in early 2018. It involved the unauthorized collection of millions of Facebook users’ personal data by a political consulting firm named Cambridge Analytica. The firm used this data to influence voter opinion and behavior during the 2016 U.S. presidential election.
Cambridge Analytica obtained the data through a third-party app that was developed by a researcher named Aleksandr Kogan. The app, which was a personality quiz, was able to collect data not just from the users who took the quiz, but also from their friends. This allowed Cambridge Analytica to collect data on millions of Facebook users without their knowledge or consent.
The company was able to gather data on 50 Million Facebook users in this way. With this data, Cambridge Analytica was able to create detailed profiles of voters, which were used to target them with personalized political advertisements. This scandal brought the issue of data privacy to the forefront and raised serious concerns about the way companies like Facebook protects users’ personal data.
Enforcement of GDPR
This incident happened before the enforcement of GDPR on May 25, 2018, however it raised awareness of data privacy and the importance of obtaining informed consent for the collection and use of personal data. As a result, the GDPR was enforced in EU. The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It came into effect on May 25, 2018, and replaces the 1995 Data Protection Directive.
GDPR is the stricter privacy regulation and companies have to be more transparent in their data collection activities and give users more control over their data.
One of the requirements of GDPR is that organizations must obtain explicit and informed consent from users for the collection, use, and storage of their personal data. This includes the use of cookies and similar technologies.
Under GDPR, cookies are considered personal data if they can be used to identify an individual. Therefore, websites that operate in the EU or target EU citizens must obtain consent from users before placing cookies on their devices. This is usually done through a pop-up or banner that informs users about the cookies and asks them to accept or reject them.
In addition, GDPR requires that users have the right to withdraw their consent at any time and that they are informed about how their data is collected and used, including the use of cookies.
Consent under GDPR must be a clear affirmative action, and of opt-in nature. Pre-ticked boxes or inactivity (silence, failure to object) are not considered as valid consents. The user needs to be proactive to give consent.
It’s worth noting that GDPR only applies to EU and EEA countries, but many website owners around the world have adopted similar consent mechanisms to be on the safe side and provide more transparency for users.
