SBN Internet Cookies: What Are They and Are They Good or Bad?

Cookies! I LOVE Cookies. Oatmeal raisin are one of my particular favorite flavors.

However, we’re not here to talk about baked goods as much as I’d love to. We’re here to talk about itty bitty little files stored on your local machine, also called cookies. We’ve often come across several users inquiring about what they are and so we’re here to help provide some clarity. Let’s dig in!

What Are Cookies and What Do They Do?

Cookies are small files (typically named cookie.txt) created and stored on your hard drive (C:WindowsCookies, e.g.) by the visiting website’s webserver when contacted by your browser.

There are actually several variants of website cookies that accomplish different things. For the purposes of this post, we’ll keep it broad to better explain. In future, we’ll expand on this topic during a Sucuri webinar.

Security Note: Only the website that creates the cookie can read it so that other web servers don’t have the ability to access your information/preferences.

You might be asking:

Why do websites use cookies anyway?

The short answer: to identify visitors and possibly prepare customized webpages or to save site login information for you.

Remember when you came back to Amazon to complete your shopping cart and saw your items still there?

That’s because eCommerce stores will use cookies to record any personal information you submit, as well as any items in your shopping cart. This prevents you having to resubmit them each time you navigate away and come back. This is what cookies do.

Is it Bad to Delete Cookies?

Bad? No, but it may impact your experience when browsing a site as it may not remember preferences such as: location, preferred language, etc, to help optimize your visit.

Having said that, you do have the ability to delete cookies using the guides below; organized by browser:

Can Cookies Do Harm?

If in the wrong hands, sure! Hackers can abuse cookies.

We actually wrote about a case of fake malicious cookies in which we detailed how an attacker stole active cookies, then pretended to be that user (hijacking that user’s session). Once done, they were able to perform any actions an administrator-type user has permissions to perform.

Imagine stealing the keys and ID of a Brinks truck driver and walking into a jewelry store to “transport” (read “steal”) valuables. Dangerous stuff.

Having said that, most online accounts will automatically log users out after a certain inactivity period. If you’re an administrator or someone with sensitive access, I would log out of sessions and clear your cookies regularly.

If you’re a website owner, we highly recommend frequent audit checks of your code to ensure an intrusion like this doesn’t impact your visitors. 

Should I Allow Cookies From All the Websites I Visit?

As mentioned before, allowing cookies can greatly improve the browsing experience through a site; especially one that you visit often. However, as data privacy continues to remain in the spotlight in the current online landscape, more and more sites are requesting consent to use. Especially since GDPR came into effect June 2018.

GDPR (General Data Protection Regulation)

Under GDPR, “all EU member states must treat cookies and other technical identifiers as personal data.” The basic premise is that companies must explicitly educate visitors on how they plan to use their data, on an opt-in basis.

As a result, cookie consent banners have begun to show up on just about every website to avoid those stiff GDPR penalties. For those unfamiliar, those penalties are as much as 4% of one’s global annual revenue, or €20 million, whichever is greater. So, if you have a website, you must be familiar with cookie consent banners.

Here is our GDPR cookie consent opt-in:

Sucuri's cookie consent opt-in
Sucuri’s cookie consent opt-in

To help those struggling to capture the benefits, we have compiled a short list describing the pros and cons of cookies:

Pros of Cookies:

  • Online Shopping Experience: Almost all eCommerce websites allow you to put items in a cart, leave the page, and return to resume shopping with your cart intact.
  • Form Submissions: Cookies can remember submitted information such as names and other fields on a form. It can save you valuable time when entering a live chat with your hosting support.
  • Personalization: Cookies can also help store language preferences and currency preferences as well.
  • Suggested Content: You can see this occur on shopping sites with a “Related Searches” feature. It relies on cookies to collect data, cross reference it with other users who have a similar profile, then make its recommendations.
  • Security Authentication: When entering a session, this allows web servers to know whether a user is logged in. If you don’t allow cookies, websites will never remember that you’re logged in.

Cons of Cookies:

  • Privacy: Most browsers are set to accept cookies by default. As a result, cookies are stored “invisibly” on your local machine every time you browse the internet. As a result, your browsing history and IP address become public knowledge.
  • Local Storage: These “little” website cookies are actual files stored on your hard drive. The more you visit, the more that is stored. As it builds over time, it can take up quite a bit of storage space on your computer/mobile device.
  • Unauthorized Data Collection:  Websites may sell the information collected from cookies to third parties or use it to hack into social networks or other online accounts.


As you can see, there are definitely great benefits in accepting website cookies. However, data privacy is a big topic within the current security landscape so don’t hesitate to do a regular purge of cookies from your web browsers with the guides listed above. If you would like to read more about infosec and website security, sign up to receive email notifications from our blog.

On that note, I think I’ll go ahead and purge the cookies from my kitchen pantry.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Victor Santoyo. Read the original post at: