Cookies, Fingerprinting, and Third-Party Requests

The HTTP cookie was invented in 1994 by Lou Montulli, an engineer at Netscape, to solve a practical problem: the web's underlying protocol, HTTP, is stateless — each request from a browser to a server is independent, with no memory of previous interactions. Without some mechanism to maintain state, websites could not keep users logged in, remember shopping cart contents, or personalise any experience at all.

Montulli's solution was elegant in its simplicity: the server would send a small piece of text to the browser, which the browser would store and return with every subsequent request to that domain. This piece of text — the cookie — could contain a session identifier that allowed the server to recognise a returning visitor.

The mechanism worked exactly as intended. It also created the infrastructure for tracking.

What a cookie is, technically

A cookie is a name/value pair stored by the browser and associated with a specific domain. A typical cookie looks like: session_id=a3f7b2c1; Domain=example.com; Path=/; Expires=Thu, 31 Dec 2026 23:59:59 GMT; Secure; HttpOnly.

The attributes matter:

• Domain specifies which domain can read the cookie. A cookie set for example.com is not sent to other.com.
• Path restricts the cookie to specific URL paths within a domain.
• Expires / Max-Age determines when the browser should delete the cookie. Session cookies (no expiry set) are deleted when the browser closes; persistent cookies survive browser restarts until their expiry date.
• Secure flag means the cookie is only sent over HTTPS connections, not plain HTTP.
• HttpOnly flag prevents JavaScript from reading the cookie, which reduces the risk of cross-site scripting attacks stealing session identifiers.
• SameSite attribute controls whether the cookie is sent with cross-site requests — a critical attribute for both security and tracking.

From session management to tracking

The same mechanism that allows a website to keep you logged in can also be used to track your activity across visits. An analytics provider sets a persistent cookie with a unique identifier when you first visit a site that embeds their script. On every subsequent visit — to that site, or to any other site that embeds the same script — your browser sends that identifier back. The analytics provider builds a record of every visit, across every participating site, attributed to that same identifier.

This is the fundamental mechanism behind most web analytics and advertising measurement as it existed from the late 1990s through the 2010s. It is also what regulators and browser vendors have spent the last decade trying to restrict.