What are Internet cookies?
An Internet cookie is a tiny bit of data that a web server (the one hosting the website being visited) has “served” to the browser, so that the web server can identify this particular user/browser. Why is this necessary? It’s mainly because of the way basic HTTPS connections are structured. These are called “stateless” connections, which means that no information about the user is retained from one HTTPS request to the next. Here’s an example; you visit our website at oinkodomeo.com. Your browser makes the following request to our web server:
Our server serves the HTML for our home page. You are looking at our home page, and decide to click the ABOUT link to learn more about our company Oinkodomeo. Your browser reads the HTML on our home page to pick out the link you clicked, resolves that link, and makes the following request to our server:
Our server “serves” the HTML for that page to your browser, which renders it on your screen. Now here’s the important part; our server knows NOTHING about your previous request for our home page, it simply serves the page you asked for. In this case, that’s what stateless means, no “state” or relationship exists between our server and your browser from one request to the next. You might see how this is a problem when you are looking at a product for sale online, and then decide to make a purchase. You might go to several pages during the course of the transaction, and each has to know from the last what the transaction was about. That’s where cookies come in. They also help with analytics, and things like remarketing, where a sweater you looked at on Banana Republic’s site might appear in an ad on weather.com. eCommerce relies greatly on cookies to transact business and create a custom experience for each visitor.
How do cookies work?
What IS a cookie? It’s a small bit of data really that the server gives the browser to help the server remember who the browser (and the browser’s user) is. Let’s remember that the connection is technically stateless, so the server has to ask the browser for its cookie every time the browser makes another page request. This is very important for password-protected areas, every time you move to a new page behind the password wall, the server is challenging the browser for the server’s authentication cookie. Don’t do this, but if you were to clear your cookies while you were logged in to your WordPress admin, for example, the server would kick you out as soon as you tried to access another resource.
In the not so good old days most websites were hand-coded. When I wanted to serve a cookie I had to create that code myself in the programming language PHP, as well as the code to read it and act on it. I knew exactly what cookies my sites served. Today with sophisticated Content Management Systems like WordPress, we don’t have to code, we can usually find a plugin to do it for us. But that leads to a question, some plugins serve cookies to our visitors, but are not really forthcoming about whether or not they use them. Marketing Automation tools like Hubspot can serve cookies, as do ad trackers. Your site can be serving quite a few cookies that you may not know about.
So how do we really know what cookies our WordPress site is serving? Fortunately most modern browsers provide the tools to discover this. I’ll describe how to do it with Google Chrome, but Firefox and others also have tools.
Open Chrome, and flush the cache (click the three vertical dots top right corner, select History, then in the left sidebar click Clear Browsing Data. You might want to uncheck cookies, you probably need a few of those). Now do the following:
- Click the three dots again
- Select Settings
- Left sidebar, click Advanced, and down arrow to open the menu
- Select Privacy and Security
- Select Cookies and Site Data
- Select See All Cookies and Site Data
- Top right of the window, search for your website’s domain
- Click the site name to show the specific cookies that were served
Just from visiting our Oinkodomeo home page (you’ll want to visit all of them) I got the following:
“Locally stored data” means data your browser is storing on your computer or device, i.e. cookies. I know that the top two come from Google Analytics. The others were a mystery, we don’t have a plugin that uses “rb” as an identifier. With a bit of sleuthing I discovered that we were running a script that was being inserted into each page near the bottom, and this script served the cookies. We weren’t using it anymore, so I deleted that script.
If you run WordPress or other CMS with an advanced theme, that theme probably has a place where you can add code that you want inserted in the header or footer of each page. This service is usually found in the settings for the theme, and that’s where I found the code snippet serving the cookies. We weren’t using that service anymore, but the code snippet had never been removed. By removing the code I stopped our site from serving unnecessary cookies, and may have speeded up our page load because that script was no longer running. A win in two ways!
But we are still serving Google Analytics cookies, and we rely on Google Analytics to help us understand how our content is being used. We should notify our visitors that we are using cookies, and ask for their consent.
How do I get a cookie banner for my site?
New privacy laws like GDPR and CCPA require website owners to take a more pro-active approach to managing their visitor’s privacy, and to a certain extent ensuring that the data they do gather is kept securely. That’s a good thing. When we invest our visitors with control over their personally identifiable data, we ultimately create a more positive experience for them, and a better relationship.