What are Cookies and Sessions and how are they used by site owners? They are used to track your usage across their sites. Both store information about you as a user, which the site owner has deemed to be important for the user experience of the site. Cookies sit in the browser allowing browser-side technologies like JavaScript to access information while sessions are hosted on the server-side.
Cookies and sessions can be thought of as a text file which is programmed to store key information such as a Google Analytics ID. Cookies can be implemented by the site owner on behalf of third parties like Google; this is done so feedback on user experience (UX) of the site. Such things that are looked for include which pages on a site got views and which buttons on the page were clicked the most. It can also help with User Interface (UI) designs by conducting A/B testing – where they have one site running with two views. Based on the tracked UX and then implement which one they see as the most successful.
The rules for Cookie expiration is set via the website. By default, when you close the window and no expiration stored in the cookie information the cookies are removed. Banks would employee this method so that if you don’t click the log out, you can just close the window to get the same effect. Other sites may not want the cookies to expire at all like Google and Facebook. Since sites must set an expiry date even though they prefer their website to remember you despite several browser closings, the date is set to a very far future e.g. in 10 years. Sessions work similarly but instead of closing a window, it is set with an expiry or timeout.
Cookies and sessions do work together to keep you logged in after you close a window. This is done by a cookie that stores a session ID that corresponds to a session. Then when your next visit if both the cookie and the session have not expired it will use it to log you in. To avoid a hacker that would use the session ID stored in the cookie, best practice is to use HTTPS to encapsulate the communication while creating so only the sender and receiver can see the information. Another way is to verify your digital fingerprint i.e. check if the same computer is being used or if the IP address you’re using is the same.
Now I have heard that every time you log out of an account online specifically banking-related one you have to close the window and or browser completely. This is not true as the act of clicking the logout button tells the site that it must terminate both cookies and sessions related to the account you were using.
Sessions, while broadly similar to cookies, have a limitation and that it is limited to the site you are currently accessing as it’s stored on the server that’s hosting the site. Cookies are limited to a domain name i.e. comtechsup.com.au. However third parties like Google can put their cookies on to your site if the site builder includes the third party’s code into the site. The advantage of this is that Google can access google.com domain cookies on comtechsup.com.au as well. The site builder can pass information to google.com to make what Google collects more valuable, such as a user id. This site only shares the bare minimum information with Google such as what pages were viewed, what browser was being used and what IP Address the computer was using.
Google and Facebook can detect many actions that you do across all sites that have got their code implemented, which is one of the ways they target ads and search results for the specific user. They can even link your actions back to your account when you log in. This means that, even though you are not logged into Facebook, you were still tracked as if you were still logged into Facebook without having cleared your cookies. Facebook can associate the site activity back to you as the user. Due to how browsers work in keeping cookies and allowing access to cookies of the same domain, every tab can access the tracking cookies even though the tab isn’t directly Google or Facebook.
To anonymise yourself you could use plugins that stop the use of tracking cookies, you can use private mode in Firefox or Incognito mode in chrome. The private mode stops cookies from being used across multiple windows and/or tabs but also stops the browsers from keeping history. This can be limiting because if you accidentally close a tab or window you can’t reopen using history.
Cookies and sessions are small files stored server and browser sides of the internet communication that are helpful to businesses by learning about their customers’ usage of the site, to provide for more target adverting and/or build better UX/UI designs to achieve their goals of having a website. This means Facebook and Google are not free we are the products.
References:
http://www.faqs.org/rfcs/rfc2965.html
https://www.washingtonpost.com/business/technology/controversial-digital-ad-placement-leaves-tech-companies-scrambling/2013/08/21/3609306e-04d4-11e3-9259-e2aafe5a5f84_story.html
https://www.w3schools.com/js/js_cookies.asp
https://www.w3schools.com/php/php_sessions.asp
https://httpd.apache.org/docs/trunk/mod/mod_session.html#whatisasession