Talk:HTTP cookie

The section "Alternatives to cookies" list various identifiers and cache records stored by the client (and metadata like IP). These things can be used for tracking (one application of cookies), but they don't actually substitute cookies in general. Also, this list is missing a few entries, like:

: - favicon cache:

:: https://arstechnica.com/information-technology/2021/02/new-browser-tracking-hack-works-even-when-you-flush-caches-or-go-incognito/

: - HSTS tracking, see

:: https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

:: https://webkit.org/blog/8146/protecting-against-hsts-abuse/

: - redirect tracking, see

:: https://digiday.com/marketing/wtf-what-is-redirect-tracking/

Also see:

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Redirect_tracking_protection#what_data_is_cleared

{{edit semi-protected|HTTP cookie|answered=yes}}

In the Browser fingerprint paragraph, it would be nice to specify that "While the collection of fingerprinting data occurs client-side, the analysis and identification of users based on this data are performed server-side." Please, see the resource here: https://www.researchgate.net/publication/365268626_A_Survey_of_Browser_Fingerprint_Research_and_Application

Also, according to Wikipedia's Guidelines, an example could be done. Here is my attempy:

"A well-known application of browser fingerprinting is in online banking systems. This technology enables the creation of unique identifiers for customers' devices during the login phase to detect suspicious activities, such as attempts to access accounts from unrecognized or potentially fraudulent devices."

Thanks! Ate Keurentjes (talk) 08:41, 3 April 2025 (UTC)

:File:Semi-protection-unlocked.svg Not done: According to the page's protection level you should be able to edit the page yourself. If you seem to be unable to, please reopen the request with further details. twisted. (user | talk | contribs) 14:37, 14 April 2025 (UTC)

Current first paragraph: "HTTP cookie [...] is a small block of data created by a web server while a user is browsing a website [...]"

Problem: "created by a web server" may not always be correct and could potentially be misleading, especially if it's in the first paragraph.

As mentioned later down in the article: "Although cookies are usually set by the web server, they can also be set by the client using a scripting language such as JavaScript".

That is, it may be more correct to say something along the lines of "usually created by a web server or browser-side script" ("usually", since we could in theory consider cases like manually adding a cookie to browser's SQLite database, or curl's cookies.txt file, etc.). UkuSormus (talk) 05:38, 10 April 2025 (UTC)

Current first paragraph: "HTTP cookie [...] is a small block of data [...] placed on the user's computer or other device by the user's web browser [...]"

The current wording explicitly uses "user's web browser".

Should we consider non-browser clients such as curl to be mentioned in the article? (see, e.g., [https://curl.se/docs/http-cookies.html curl - HTTP cookies])

If so, should we also consider modifying the first paragraph to use something like "by the client, usually the user's web browser", or it could get too abstract for the intro? UkuSormus (talk) 05:40, 10 April 2025 (UTC)

In the current version of the article, only the document.cookie browser API is mentioned for manipulating cookies. Nowadays, there's also the new CookieStore API (see [https://developer.mozilla.org/en-US/docs/Web/API/CookieStore MDN]), supported by Chromium-based browsers and soon in Firefox. UkuSormus (talk) 05:41, 10 April 2025 (UTC)