What Are Browser Cookies and How Do They Work? (2026 Guide)
Learn what browser cookies are, how they track you, the difference between first-party and third-party cookies, and how to manage them.
Every time you accept a cookie banner, you're deciding how much of your browsing behaviour to share. Most people have no idea what they're agreeing to. Cookies are tiny text files — but they power everything from keeping you logged in to tracking you across the entire internet.
What Is a Browser Cookie?
A cookie is a small text file stored on your device by a website when you visit. It contains a name, a value, the domain it belongs to, an expiry date and a few flags (like Secure and HttpOnly).
Cookies are not executable code. They cannot run programs or install malware. They're plain data — nothing more, nothing less.
Their original purpose was to solve the 'stateless' problem of HTTP. Without cookies, websites would forget who you are with every single click.
How Cookies Work (Step by Step)
- You visit example.com.
- The server responds with a Set-Cookie header containing a session ID.
- Your browser saves the cookie.
- Every subsequent request to example.com automatically includes that cookie.
- The server reads the cookie and recognises you across page loads.
Types of Cookies
- Session cookie — deleted when the browser closes. Used for shopping carts and login sessions.
- Persistent cookie — stays until its expiry date. Used for 'remember me' logins and language preferences.
- First-party cookie — set by the site you're actually visiting. Generally fine and often necessary.
- Third-party cookie — set by a domain other than the one in the address bar (e.g. an ad network embedded in the page). These power cross-site tracking.
- Secure cookie — only sent over HTTPS connections.
- HttpOnly cookie — cannot be read by JavaScript, which protects against XSS attacks.
Third-Party Cookies and Advertising Tracking
A Facebook Like button or Google ad embedded on a site sets a cookie from that ad network's domain. As you visit other sites with the same tracker, the ad network builds a profile of your behaviour across the web.
Google has been gradually phasing out third-party cookies in Chrome (delayed multiple times since 2024) and is replacing them with the Privacy Sandbox. Safari and Firefox have blocked third-party cookies by default since 2020.
Are Cookies Dangerous?
On their own, no. A cookie is just a text file. The real risk is cookie hijacking — if an attacker can steal your session cookie via an XSS bug or unencrypted HTTP, they can impersonate you without ever knowing your password. That's exactly why Secure and HttpOnly flags exist.
See how unique your browser is and how easily you can be tracked even without cookies.
Open Browser FingerprintGDPR, Cookie Consent and the Law
Under the EU's GDPR and ePrivacy Directive, non-essential cookies (analytics, advertising, tracking) require explicit consent before being set. 'Essential' cookies — login sessions, shopping carts — don't require consent because the site cannot function without them.
That's why every website now has a cookie banner. The UK's PECR is similar; the US has no federal cookie law, but several states (notably California) have their own rules.
How to Manage and Clear Cookies
- Chrome — Settings → Privacy and Security → Clear Browsing Data → Cookies.
- Firefox — Settings → Privacy & Security → Cookies and Site Data → Clear Data.
- Safari — Settings → Privacy → Manage Website Data.
Clearing cookies will log you out of every site and may reset preferences. To block third-party cookies entirely, look for the equivalent option in your browser's privacy settings.
One important caveat: clearing cookies does not stop browser fingerprinting, which identifies you using your device's unique technical attributes.
Want to understand fingerprinting — the tracking method that works even without cookies?
Read: What Is Browser Fingerprinting?Frequently Asked Questions
Are browser cookies dangerous?
Cookies themselves are not dangerous — they're plain text files and cannot execute code. However, session cookies can be stolen via network attacks or XSS and used to hijack logged-in accounts.
What happens when I clear my cookies?
You'll be logged out of every website and many site-specific preferences will reset. Browser cache is separate, so clearing cookies alone won't affect performance noticeably.
Why do all websites now have cookie banners?
The EU's GDPR and ePrivacy Directive require websites to obtain user consent before placing non-essential cookies. The rules apply to any site accessible to EU residents, which is effectively all of them.
What is the difference between cookies and cache?
Cookies store small pieces of data about you and your session — login tokens, preferences. The cache stores copies of website files (images, HTML, CSS) to speed up future visits. Clearing cache improves performance; clearing cookies logs you out.
Do cookies slow down your browser?
Not meaningfully. Cookies are tiny. A huge accumulated number can add a marginal overhead to requests, but it's not a noticeable performance issue for normal users.