A user’s session cookie (also known as an in-memory cookie or transient cookie) for a website exists in temporary memory only while the user is reading and navigating the website. When an expiry date or validity interval is not set at cookie creation time, a session cookie is created. Web browsers normally delete session cookies when the user closes the browser.
A persistent cookie will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason persistent cookies are also called tracking cookies.
A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
First-party cookies are cookies set with the same domain (or its subdomain) as your browser’s address bar. Third-party cookies are cookies set with domains different from the one shown on the address bar. The web pages on the first domain may feature content from a third-party domain, e.g. a banner advert run by
http://www.advexample.com. Privacy setting options in most modern browsers allow you to block third-party tracking cookies.
As an example, suppose a user visits
http://www.example1.com, which includes an advert which sets a cookie with the domain
ad.foxytracking.com. When the user later visits
http://www.example2.com, another advert can set another cookie with the domain
ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.
A “supercookie” is a cookie with an origin of a Top-Level Domain (TLD) or an effective Top-Level Domain. Some domains that are considered, “Top-Level” may in fact be a secondary or lower-level domain. For example,
k12.ca.us are considered Top-Level even though they are multiple levels deep. These domains are referred to as Public Suffixes and are not open for reservation by end-users.
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting
http://www.example.com can have a cookie set with domain
.example.com. A so-called “supercookie” is a cookie originating from a Public Suffix or Top-Level Domain such as,
.com. It is important that these cookies are blocked by browsers otherwise, an attacker in control of malicious website with domain
.com could set a “supercookie” and potentially disrupt or impersonate legitimate user requests to
example.com. Thus taking advantage of the fact that
.com can set valid cookies for sub-domain
The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes changing. Older versions of browsers may not have the most up-to-date list, and will therefore be vulnerable to supercookies from certain domains.
Supercookie (other uses)
The term “supercookie” is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such “supercookie” mechanisms were found on Microsoft websites: cookie syncing that respawned MUID cookies, and ETagcookies. Due to media attention, Microsoft later disabled this code:
In response to recent attention on “supercookies” in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers. According to researchers, including Jonathan Mayer at Stanford University, “supercookies” are capable of re-creating users’ cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.
Some cookies are automatically recreated after a user has deleted them; these are called zombie cookies. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie’s absence is detected.