LLMpediaThe first transparent, open encyclopedia generated by LLMs

Cookie (HTTP)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Do Not Track Hop 5
Expansion Funnel Raw 63 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted63
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Cookie (HTTP)
NameCookie (HTTP)
CaptionHTTP cookie header format example
Introduced1994
InventorNetscape Communications
StandardizedRFC 6265
TypeWeb storage mechanism

Cookie (HTTP). HTTP cookies are small pieces of data sent from a web server and stored in a user's web browser to maintain stateful information across HTTP requests. They enable session management, personalization, and tracking for web applications and are implemented across web browsers, web servers, and standards bodies.

History

Cookies originated at Netscape Communications in 1994 as a solution to session management introduced during the development of the Netscape Navigator browser and were used by early web applications and services such as e-commerce platforms and dynamic web hosting experiments. Adoption spread with contributions from implementers at Microsoft Corporation during the development of Internet Explorer and influenced by discussions at standards venues including the Internet Engineering Task Force, World Wide Web Consortium, and participants from organizations like AOL and Yahoo!. Public concerns over tracking led to investigative reporting by outlets such as The New York Times and prompted regulatory attention from bodies such as the Federal Trade Commission and the European Commission.

Specification and Standards

Cookie behavior and serialization have been specified in a series of documents culminating in RFC 6265 published by the Internet Engineering Task Force, which superseded earlier drafts and clarifications debated in IETF working groups alongside input from Mozilla Foundation engineers and contributors from Google LLC and Apple Inc.. The specification defines headers like Set-Cookie and Cookie, attributes such as Expires, Max-Age, Domain, Path, Secure, HttpOnly, and SameSite, and interacts with protocol norms from Hypertext Transfer Protocol standards and security practices advocated by organizations like Open Web Application Security Project.

Functionality and Types

Cookies implement stateful patterns for web applications and are categorized by duration and scope: session cookies, persistent cookies, first-party cookies, and third-party cookies, used across ecosystems that include services from Facebook, Amazon (company), and Adobe Inc. for authentication, shopping carts, and analytics. Attributes provide control over access and transport security, as used by implementations in Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge to enforce Secure and HttpOnly behaviors, while SameSite mitigations were introduced following proposals from researchers and standards contributors connected to IETF discussions and security advisories by groups such as CERT Coordination Center.

Security and Privacy Issues

Cookies can be abused for session hijacking, cross-site request forgery, and cross-site scripting exploits examined by researchers at institutions like Stanford University, Massachusetts Institute of Technology, and security firms such as Symantec and Kaspersky Lab. Tracking via third-party cookies raised privacy concerns highlighted in reports by the European Data Protection Board and investigations by the Federal Trade Commission, prompting browser vendors including Apple Inc., Google LLC, and Mozilla Foundation to implement restrictions and deprecation timelines tied to privacy initiatives like Privacy Sandbox and regulatory frameworks such as the General Data Protection Regulation.

Implementation and Browser Behavior

Browser behavior varies: Google Chrome and Mozilla Firefox implemented SameSite defaults and partitioning proposals influenced by work from IETF drafts and experiments from companies like Microsoft Corporation and Apple Inc.; Safari introduced Intelligent Tracking Prevention informed by research from University of California, Berkeley and industry pressure from advertisers represented by Interactive Advertising Bureau. Differences exist in cookie storage limits, eviction policies, and rule precedence across engines such as Blink, Gecko, and WebKit, and in developer tools and APIs provided by browser vendors for debugging and inspection.

Server-side Handling and Use Cases

On the server side, frameworks and platforms like Apache HTTP Server, Nginx, Node.js, Django, Ruby on Rails, ASP.NET, and PHP expose cookie APIs for session identifiers, CSRF tokens, preference storage, and A/B testing, often integrated with back-end services such as Redis, Memcached, and databases like MySQL or PostgreSQL for session persistence. Enterprise uses span single sign-on with providers like Okta and Microsoft Azure Active Directory, personalization engines from Salesforce and Oracle Corporation, and analytics processing by vendors such as Google Analytics and Adobe Analytics.

Legal frameworks and enforcement actions have affected cookie practices: the European Union Cookie Directive and subsequent guidance from the European Data Protection Board and national data protection authorities shaped consent requirements, while enforcement by the Information Commissioner's Office and rulings by the Court of Justice of the European Union clarified obligations under the General Data Protection Regulation. In the United States, investigations and settlements by the Federal Trade Commission and policy debates in the United States Congress influenced disclosure and opt-in practices, and industry self-regulation through bodies like the Interactive Advertising Bureau and standards from the World Wide Web Consortium continue to inform compliance.

Category:HTTP