A cookie is a small text file stored on the user's device by a website, used to remember information about the user across page loads and visits.
Cookies are set by the web server (sent in an HTTP response) and stored by the browser on the user's device. The browser sends them back with future requests to the same site, so the server can recognise the user.
What cookies typically hold:
- Login state: which user is currently signed in.
- Session data: items in a shopping cart, in-progress form data.
- Preferences: language, dark mode, font size.
- Tracking IDs: a unique identifier for analytics or advertising.
A cookie is a plain text file, not a program. Cookies cannot themselves run code or directly attack the user's computer. (Whether the information they carry is privacy-friendly is a separate question; see "Privacy concerns" below.)
Two types of cookie
The IGCSE syllabus names two types: session cookies and persistent cookies.
| Session cookie | Persistent cookie |
|---|
| Stored in | RAM (the browser's memory) | Hard disk / SSD (a file on the user's device) |
| Lifespan | Lasts only while the browser is open | Has an expiry date; can survive for days, weeks or years |
| Discarded | Once the user closes the browser | When the expiry date passes, or when the user clears them manually |
| Typical use | Keeping the user logged in for one visit; remembering shopping-cart contents during the same browsing session | Remembering login between visits ("remember me"); remembering preferences (e.g. language, theme); long-term analytics and advertising IDs |
A worked example: online shopping
Example — A user visits an online clothes shop, adds three items to their cart, then closes the browser. Two weeks later they return. What happens to their cart?
- The shopping-cart contents were probably stored in a session cookie, so they were deleted when the browser closed. The cart is empty on the return visit.
- The site's language preference ("English") was probably stored in a persistent cookie with a long expiry, so the site loads in English again straight away.
- If the user had been logged in and ticked "remember me", a persistent cookie would have kept them logged in too; otherwise the login session ended with the browser.
Privacy concerns
Cookies started out as simple tools for site convenience. Over time, they became a major privacy issue:
- Third-party tracking cookies: cookies set by advertising or analytics companies can be read on every site that includes their tracker (e.g. an ad network). This lets the third party build a profile of the user's browsing across many sites, even ones the user did not realise were linked.
- Personal information storage: some cookies hold names, email addresses, login tokens or other personal data. If the device is shared or compromised, this data may be exposed.
- Session hijacking: if an attacker can read a logged-in user's session cookie (e.g. on an unencrypted connection), they can pretend to be that user. This is one reason every login page should use HTTPS rather than plain HTTP.
- Lack of transparency: most users do not know exactly what each cookie stores or what the site does with the data.
Legal and technical responses
- Browsers offer cookie controls: settings to block all cookies, third-party cookies, or specific sites.
- Modern browsers are starting to block third-party cookies by default.
- Laws such as the EU's GDPR and the UK's PECR require websites to ask for consent before setting non-essential cookies. This is why most sites now show a cookie banner on first visit.
- Users can manually clear cookies at any time from the browser's settings.
Cookies vs cache
Two related ideas often confused:
- Cookies are small text files that hold information about the user (state, preferences, IDs).
- The browser cache is a temporary store of downloaded resources (images, scripts, stylesheets) so they do not have to be downloaded again on the next visit.
Both improve the browsing experience, but they do different jobs. Mark schemes can ask for the difference.