How Cookies Work
There's a happy "cookie monster" living in your web browser!
Here's the story of what your browser's cookie monster does with cookies when you visit web pages.
The cookie monster in your browser has a cupboard of cookies. The cupboard has lots of compartments, one compartment for every website that has given the cookie monster a cookie.
The cookie monster also has a cookie copying machine. (More about that in just a moment.)
The reason the cookie monster is so happy is because he gets to eat the cookies. Not right away, he has to wait until they expire. Until that time, he can look at all those delicious cookies in their compartments and anticipate eating them.
When the browser revisits a website with a web page that had previously given the cookie monster a cookie, the cookie monster has to give the same cookie back to the page.
But not the original cookie. The cookie monster is pretty sneaky. He makes a copy of the cookie so exact the web page can't tell the difference. And then gives the copy to the web page. The cookie monster keeps the original for himself, so he can eat it when it expires.
The web page may do anything it wants with the copy of the cookie, including ignoring it. The page may even eat the cookie right in front of the cookie monster. But the monster just smiles. He has the original secure in his cupboard.
Every cookie from a website has its own name. And every cookie is marked with a directory location for the web page that gave the cookie monster the cookie.
When the browser is about to load a web page, the cookie monster takes a quick look at the directory location. The monster then makes a copy of every cookie marked with that directory location and offers the copies to the web page.
The cookie monster stands ready to receive any new cookies the page hands to it. The monster willingly and eagerly accepts all cookies. And never returns the original.
So why would browsers have cookie monsters? And why would web pages give cookies to the cookie monster only to later be offered a copy?
There are two reasons:
-
Because of what cookies are made of, the cookie content.
Cookies can be made of any plain text, so long as the cookie size is no larger than 4k.
-
Because browsers only identify themselves in general to web pages. A page can never be sure it's the same browser coming back, unless the cookie monster offers a copy of a cookie the site previously gave to it.
Before offering a copy of a cookie, the cookie monster always verifies it is the same website that gave it the cookie in the first place.
The cookie monster is forbidden to share cookies with cookie monsters living in other browsers. Not that any of the monsters would share, they're pretty protective of their stash.
(People can make copies of cookies and give them to other cookie monsters. But cookie monsters can't.)
When a cookie monster offers a copy of a cookie to a web page, the page is as certain as it can be that the browser is the same one that visited before.
Taking the above into consideration, it is expected that when a browser visits a web page and the web page wants to remember something about the visit, it makes up a cookie with the data it wants to remember.
The cookie is then given to the cookie monster for safe keeping.
I realize it may be counter-intuitive to give anything to a cookie monster for safe keeping. Your intuition actually is correct. At any time, the operator of the browser can tell the cookie monster to go ahead and eat all the cookies.
But the cookie monster can't do it without explicitly being told to do so – unless the cookie expires, in which case the cookie monster has automatic permission to eat it. And eagerly does.
You see, every cookie comes with an expiration date. It's what the cookie monster lives for, eating cookies when they expire – at the very instant.
The mentioned two are the only conditions in which the cookie monster can eat cookies:
- When explicitly told to do so.
- When individual cookies expire.
But that's good enough for the cookie monster. He lives to eat cookies.
The cookie monster's compliance is assured by its programming. As you've probably suspected, the cookie monster is like a machine or robot and has no choice but to follow the rules.
The cookie monster in your web browser loves the cookies given to him and takes good care of them. (And we're pretty sure he loves it when it comes time to "eat cookies"!)
Will Bontrager