There are many good uses of HTTP cookies, but they can also carry codes that cyber criminals can exploit. Image Credit: Gulf News


  • Know the threats lurking in those “tracking cookies” used by websites to track you.
  • It allows websites to collect information — such as your browsing habits, geo-location, device model and the pages you visit.
  • Know simple ways to disable cookies on Android | iOS devices.

When you visit a website, small codes upload themselves onto your browser, as a sort of viral infection that can kick into action when the right moment comes. As a rule, you have to give your “express permission” before the action triggered by these spaghetti of codes takes place.

They are called web “cookies”. They're legit to use. For starters, they're the favourite ammo of advertisers to propose ads to you, based on your browsing "signature". Spooked? Wait till we get to the more exciting part.

In theory, cookies help you — the user — remember information about your visit on that specific site, including log-in details.

It’s a rather simple, and useful, idea. The next time you visit the same site, cookies can make the experience easier — almost seamless, and often without the need to re-log in.

Cookies have been in existence for nearly 30 years. It all sounds innocuous. Even under the world’s strictest general data privacy rules, cookies are here to stay, presumably, with your express consent as a user.

Here’s what you need to know about web cookies:

What are they?

A “cookie” is a piece of code or data from a website stored within your web browser. The website can retrieve this code|data at a later time. In general, cookies are used to tell the server that users have returned to a particular website.

Are cookies bad?

The standalone data of a cookie is not inherently bad, nor a type of malware. 

How do cookies help?

In general, websites use HTTP (hypertext transfer protocol) cookies to streamline your web experiences. Without cookies, you'd have to login again after you leave a site — or rebuild your shopping cart if you accidentally close the page.

Cookies are an important a part of the internet experience. Like any tool available on the web, there are potential upsides and downsides.

Can cookies help get rid of ads?

It’s one of the helpful functionalities of cookies: they can be enabled to allow you to cut online advertising views — so you don't see the same ad over and over again.

Can cookies track you?

By definition, cookies can track any kind of data about users, such as:

> Search history (what you Googled earlier)

> Browser history (websites you previously visited)

> Your IP address

> Your on-site behaviour such as scrolling speed

> Where you clicked and where their mouse hovered.

Who invented browser cookies? How are cookies created?

Cookies inventor
Image Credit: Gulf News

Montulli's first cookie code had a file size limited to 4K. When he created HTTP cookies, his goal was to preserve privacy online. However, its wide use now has taken a totally different turn. Today, the programming languages PHP (Hypertext Preprocessor) and JavaScript are often used create, read, and delete cookies.

There's a high degree of certainty that advertisers use this tool to reach out to you right now.

Variants of Montulli's code are most probably installed on the machine you are using now, with untold billions of dollars in advertising money attached to it.


What are “tracking cookies”?

They track you as you browse the web. Not only that: they also allow websites to collect information like browsing habits, geographic location, device model and the pages you visit.

What are adware cookies?

Adware cookies are also known as tracking cookies. They're what gives a company [or code writer] the tool to propose ads to you based on your geolocation and surfing patterns.

Many companies who employ these files and other types of “adware” (some call them “spyware”) argue that they are being used for legitimate purposes.

Can cookies steal passwords?

Yes it is possible, if the “Forms Auth” cookie is not encrypted, someone could hack your cookie to give cyber criminals elevated privileges; or if SSL (secure sockets layer) is not required, they can copy your cookies.

Panda Security, a Madrid-based computer security firm, explains that by installing your cookies with hashed passwords into their web browser, cyber criminals can immediately access your account, with no login required. That's how a lot of social media accounts are compromised, sometimes with disastrous consequences.

Can cookies be used to steal your social media accounts?

Yes. Your cookies can be used to easily harvest social media, email and many other accounts. At the same time, cookies can be hijacked from your device and used to impersonate you.

How do hackers grab cookies?

Sometimes they can steal them directly from an insecure web server. If hackers can access your computer or your network, they can steal your cookies too.

Criminals also resort to more advanced techniques, like stealing information passing through public WiFi networks.

To hack your cookies, a hacker may sometimes use an extension called Firesheep. Panda Security explains that Firesheep (on Firefox) uses a technology to detect and copy cookies that are sent sent over a wireless network. As the extension discovers cookies, it creates a list on the hacker’s computer. They can then simply click on the cookies, and it logs into the website as the unsuspecting user.

How to avoid this? One is by installing an industry-standard malware solution, or a virtual private nework, or both.

20200819 computer hacker
To steal your cookies, a hacker may sometimes use an extension called Firesheep. Panda Security explains that Firesheep (on Firefox) uses a technology to detect and copy cookies that are sent sent over a wireless network. As the extension discovers cookies, it creates a list on the hacker’s computer. They can then simply click on the cookies, and it logs into the website as the unsuspecting user.

What does GDPR say about cookies?

As mentioned above, cyber criminals could potentially use the information from cookies to data-mine browsing history. One privacy concern is about what a website will do with your data that can be harmful to your privacy as an end-user.

The General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy in the EU and the European Economic Area. It is considered the world’s toughest privacy and security law. It is a key component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union.

Under the GDPR, cookies that are not strictly necessary for the basic function of your website must only be activated after end-users have given their “explicit consent” to the specific purpose of their operation and collection of personal data.

iPhone Cookies delete
CLEAR COOKIES FROM YOUR IPHONE | IPAD: [1] Open the Chrome app. [2] Tap More... > Settings [3] Privacy > Clear Browsing Data [4] Check Cookies, Site Data [5] Important: Uncheck the other items (or check if you’re sure about it). [6] > Clear Browsing Data > Done

How to delete your browsing data on Android phone | tablet:

Note: If you remove cookies, you'll be signed out of websites and your saved preferences could be deleted.

[1] On your smartphone or tablet, open the Chrome app.

[2] Tap More > Settings.

[3] > Privacy and security > Clear browsing data.

[4] > Choose a time range (i.e. like Last hour or All time).

[5] > Select the types of information you want to remove.

[6] > Clear data.

How to delete browsing data on desktop:

[1] On your computer, Open Chrome

[2] At the top right, click More.

[3] > Click History

[4] > Clear browsing data.

[5] Pull drop-down menu, select how much history you want to delete.

[6] Check the boxes for the info you want Chrome to clear, including “browsing history.”

[7] > Clear data.

Can I disable Facebook cookies?

A Wired article clarifies that Facebook does track you — even if you're not logged in. Its cookies don't expire when you sign out, but are altered to allow the site to keep tabs on your web activity.

Facebook clarified that cookies specific to a user's account are deleted when they log out of Facebook, so the company does not receive personally-identifiable cookie information when logged-out users browse the web. However, other cookies associated with the web browser remain active after log-out.

But you can stop Facebook tracking you on different browsers.

Here’s how:


Go to Preferences, then Privacy > "Remove individual cookies", underlined at the bottom of the tab. > Enter "Facebook" in the search bar — you'll see all the cookies used by Facebook. Select these and hit "Remove cookies".


Go to Preferences > "Under the Hood" on the left-hand tab. Under “Privacy" > "Content settings” > "Cookie and data exceptions" and add "".

Examples of web cookies:

These are some sample cookies and the roles they play.


The act cookie contains a unix timestamp value used to distinguish between two sessions for the same user, created at different times. The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox.


The c_user cookie contains the user ID of the currently logged in user. The lifetime of this cookie is also dependent on the status of the ‘keep me logged in’ checkbox. By setting the ‘keep me logged in’ checkbox, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie and clears when the browser exits.


The datr cookie identifies the web browser used to log in to Facebook, independent of the user. This cookie plays a key role in Facebook’s security and site integrity features. Currently, the lifetime of the “datr” cookie is set at two years.


The presence cookie is a session cooking used to contain the user’s chat state, for example, which chat tabs are open. On Facebook, it expires when the browser session ends.


Facebook’s user policy states: “We also use cookies to store information that allows us to recover your account in the event that you forget your password or to require additional authentication if you tell us that your account has been hacked. This includes, for example, our "sb" and "dbln" cookies, which enable us to identify your browser securely.” This cookie expires in 2 years from the creation time.


The wd cookie is a session cookie that stores the browser window dimensions and is used by Facebook to optimise the rendering of the page. It expires in 1 week from the creation time.


This cookie contains multiple pieces of information:

[a] The first value is an up to two-digit number representing the session number.

[b] The second portion of the value is a session secret.

[c] The third, optional component is a ‘secure’ flag for if the user has enabled the secure browsing feature.

This cookie depends on the status of the ‘keep me logged in’ checkbox. Expires 3 months from the creation date (if “Remember Me” option is set) / or when the browser session ends if not set.


This cookie contains the display locale of the last logged-in user on this browser. This cookie appears to only be set after the user logs out. The locale cookie has a lifetime of one week.