source: https://cooking.nytimes.com/recipes/1021435-perfect-chocolate-chip-cookies

Browser cookies are pieces of information set in your browser by the remote servers. Often people have heard the term but not really clear on the use case that it is intended to cover. In this blog post, I will discuss why we needed this technique in the first place, and how it helps servers to enhance the end-user experience. But before we begin, we need to talk a bit about the HTTP protocol.

source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Overview

HTTP is the protocol used by the browser clients to communicate with remote servers.

When a user wants to access the Google search page, the user types the https://www.google.com URL in the address bar of the browser. The browser will then make an HTTP GET request and retrieve HTML content to render the google search home page. This is a simple example of an HTTP request. Similarly, web browsers make a countless number of HTTP requests each day to render all the webpages that we access on daily basis.

But the important thing we should notice here is that HTTP requests are stateless. This means an HTTP request is completely unaware of any other requests made before.

source: https://medium.com/@maheshlsingh8412/cookie-session-story-of-a-stateless-http-3cd09cc01541
source: https://medium.com/@maheshlsingh8412/cookie-session-story-of-a-stateless-http-3cd09cc01541

The stateless nature of HTTP requests negatively impacted the end-user experience when businesses started using webpages to enage with customers. For example, an e-commerce website often needs to keep track of the shopping cart per a certain browser session.

source: https://www.bigcommerce.com/ecommerce-answers/whats-shopping-cart/

When a user clicks a button and add the item A to the shopping cart, that information should be realized by the e-commerce server when the user clicks the button to add item B. Otherwise it cannot keep track of a shopping cart, and it will have to ask the user to first finish buying the item A and then move on to the item B.

In order to solve these kinds of problems, the computer programmer “Louis J. Montulli II” invented a browser feature called HTTP Cookie when he was working on the Netscape browser back in 1994. The core idea behind the HTTP cookie is to allow a remote server to send a state object(named as the HTTP Cookie) in its response and expects the browser client to send it back whenever client makes an HTTP request to the same remote server again.

Let's have a look at how the e-commerce problem that we discussed earlier can be solved with an HTTP cookie.

source: https://networkencyclopedia.com/http-cookie/

When the user clicks a button to add item A to the shopping cart, the browser client sends an HTTP request to the remote server asking the same. The remote e-commerce server adds item A to the shopping cart and sends a successful response to the browser client. But with this response, the remote server also includes a specific instruction to create a cookie in the client browser which has the current shopping cart status. Upon receiving the instruction the client browser creates an HTTP cookie with the current shopping cart status.

When the user clicks to add item B to the cart, the client browser again sends an HTTP request to the remote server asking the same. But this time it notices that there is a cookie created by the same remote server earlier. Therefore it includes this cookie also in the request. The recipient remote server notices that it received a browser cookie from the incoming request, and then reads the cookie data and identifies that item A already exists in the shopping cart. Therefore it will update the shopping cart status to have both item A and item B, and sends the response back to the client browser with the updated cookie status.

source: https://www.exinent.com/whats-an-ecommerce-shopping-cart/

In this way, the remote server remembers the shopping cart status via the HTTP cookie, thus improving the end-user experience. One thing to mention about cookies is that they includes an attribute with the domain information. The client browser will send cookies only if the requested domain is as same as the domain specified in the cookie, or the requested domain is a sub-domain of the domain specified in the cookie.

Assume that the remote server’s host domain is “flowers.retail.com” and it sets a cookie called “shoppingCart” in the browser. This cookie will be included whenever the browser invokes a request to the domain “flowers.retail.com” or “books.retail.com” but it will not be included, if the requested domain is “flowers.internal.com”.

That all about the browser cookies! Apart from the simple use case with e-commerce web sites, cookies are used in various applications. While there are many useful use cases achieved with browser cookies like Identity providers using cookies to provide seamless login experiences like single sign-on, there are many debatable use cases where cookies pose threats to the end-user’s privacy. As cookies can store state information, websites can utilize them to track users across websites and analyze user behaviors for targetted advertising. However, that would be a separate topic for another blog! Let me know what you think about this blog post in the comment section below.

Cloud and AI Researcher | Former Senior Full-Stack Engineer@WSO2 | IAM Specialist | Ph.D. Candidate