Also known as a "network cookie," a website cookie is a small piece of data sent from a website that's usually stored in a user's web browser upon visiting a website. Cookies help save user preferences, enable specific website features, and continually track user interactions as they navigate.
There are five main types of network cookies:
Session cookies – These track a user's session on the domain and are promptly deleted once the user leaves the website or logs out. They have no set expiry date, which leads to automatic deletion once these conditions are met.
Persistent cookies – These remain stored in the browser for a wide-ranging and preconfigured period of time, which can range from days to years.
Authentication cookies – These help manage user sessions and ensure the correct sensitive, account-specific information is delivered to visitors as they interact.
Tracking cookies – These record user activity and send that information to external tracking services.
Zombie cookies – These cookies regenerate after being deleted and create backups of themselves in undefined storage locations. Zombie cookies are commonly leveraged by advertising networks and even attackers.
How do website cookies work?
When a user visits a website for the first time, the website typically presents them with a popup asking them to deny all cookies, accept all cookies, or more granularly tailor their cookie preferences.
When you hit "accept," that specific domain gains permission to download up to 50 cookies onto your machine, which cannot collectively exceed 4,093 bytes in size. Most web browsers enforce these limits to ensure compatibility and provide guardrails against excessive tracking (and greater storage requirements that accompany it). Plus, each HTTP request generates a cookie, which means websites must be more judicious with how they use cookies under those guidelines.
Like their culinary counterparts, cookies have a shelf life. They're updated and set with a certain expiration date, after which they're deleted and replaced by a newly created cookie. It's also not always easy to delete cookies. When a cookie's name grows too long, it can be trickier to delete. With the newest RFC 6265 specification, there's no maximum specified length of a network cookie's key or value size—and larger cookie sizes are supported.
Why are website cookies useful?
Cookies allow web developers to provide visitors with a more personalized experience. Because cookies leverage storage mechanisms, they can remember your logins and other session-based information derived from a user's unique behaviors. Websites use them to track user activity and serve content that improves user experiences. Cookies also boost security by enabling various authentication features.
However, with cookie storage comes risks. Since cookies essentially help "fingerprint" users and store personalized information about their habits and browsing environment, a cookie breach can threaten user privacy. Even ethically-collected cookies with limited scopes can identify web users. Some cookies are also generated by third parties, meaning they collect and store user information for another domain than the one you're currently accessing.
Does HAProxy leverage website cookies?
Yes! HAProxy will normally pass cookies between the clients and the backends. It's frequently configured to also set a session cookie to maintain session persistence. You can also configure HAProxy to modify or log cookies if desired. To better understand the various cookie settings HAProxy can implement, read our blog, How to Secure Cookies Using HAProxy Enterprise.
