the UNDERPASS_ »»On web cookies

Web cookies good/bad

The web is, historically, a stateless system. You visit one page by typing its address, and that page is delivered to your browser. You click a link and your browser uses the link address to request a different page. The concept is like a page in a book, you can turn to that page as often as you want and the book itself is not altered by the fact you've read that page. Thus 'stateless'. Unlike books, video games are stateful. They need to keep track of the state of the game and this affects future events.

Cookies are small strings of data stored in a user's web browser during a visit to a website. The website's server then gets that same data back each time the user navigates to a page on that site. By doing this, the website can be more interactive, since it has a way of remembering the user's navigation during their visit, and thus presenting the website in a unique state for that user. Web cookies work more like Chinese fortune cookies (a container with a small piece of information inside) rather than the American round crunchy things they're often depicted as.

In 2018, EU lawmakers imposed a new set of regulations ("GDPR") on all websites accessible within Europe (so by extension, on all websites).
This requires websites to ensure they obtain consent from users to use cookies when a page is displayed. In practice this doesn't work well, for an obvious reason. Web pages are fundamentally stateless. The concept of consent is stateful. It can be given or not given.
...So in order to identify whether a user has consented to cookies or refused them, each website needs to use... cookies.
Now in practice, there are exceptions in the regulations; a website that only uses essential cookies doesn't need to ask the user's permission. This website attempts to avoid using cookies entirely. But not everyone with a website is a lawyer and very few people with websites have read through the GDPR.

The real reason cookie consent forms are so in-your-face

Everyone hates those popups that try to get your consent for cookies before you get to browse the content of a website in peace.

This isn't just websites trying to force you into accepting cookies for their own selfish reasons. It's because, chances are, cookies were already used in order to generate the content that has been loaded into your browser. This is because of how cookies work: they form part of the header data for an HTTP transmission from a web server to your browser. Cookies need to be established and stored before any visible page content loads.

Putting a cookie consent form in your face, obscuring other content, is really a good-faith effort to ask permission (forgiveness) after the fact, by pretending you haven't accessed the content that was generated using cookies yet, and then asking for your consent.

A little silly in a technical sense, but necessary, in order to overcome conflicting limitations of both the GDPR and the HTTP protocol.

How it REALLY works

Here's what's REALLY happening behind the scenes when you visit a typical mainstream website for the first time:

  1. You request a web page either by typing the URL you want, or by clicking a link (which populates your address bar with the link URL).
  2. Your browser looks up the destination web server and makes an HTTP request.
    - As part of this request, your browser also includes the contents of all cookies already stored in your browser for that website.
  3. The web server looks at the requested URL and your cookie data and begins to serve page content to your browser via HTTP.
  4. The server first sends an HTTP header. This contains new cookies your browser must store, and precedes transmission of the actual page content. Your browser receives and stores these cookies.
  5. After those pesky cookies are out of the way, the page content begins to be transmitted and rendered in your browser.
    - If the web page contains inline frames, these appear as boxes on the page that embed other (third party) websites like ads. Your browser then requests these pages and exchanges cookies in the same way as for the main website.
  6. Finally once the page content is parsed and rendered into your browser, JavaScript can be used to display a dialog box that says 'This site uses cookies. [Accept all] ? [Reject cookies] ?' This is obviously happening at a shallow level compared to the deeper stuff in the earlier steps. It's usually also happening after the fact. By the time the user sees this popup, the ads in the iframes have already loaded on the page.
  7. After you consent to or reject cookies, your browser makes another HTTP request to the web server indicating your choice. This causes a new cookie to be stored in your browser which is how your cookie consent or refusal is retained and associated with you.

Here's a YouTube video I made on this conundrum a while back.

Video



Notes

  1. While this website doesn't use cookies, it's likely that the embedded YouTube frame does. So for all practical purposes you're likely getting cookies. But there's no point asking your consent now, because, like every other page on the internet, the embedded content will have loaded already by the time the consent form would. Most cookie consent forms are more for lip-service after the fact than anything else. That's why you never get the option to refuse "essential" cookies; because by the time your consent has been asked, the tracking data has already been stored in your browser. Which goes directly against GDPR requirements, but given the limitations of the web, what alternative is there?
  2. The GDPR regulations are a great example of what happens when lawmakers don't understand what the hell they're doing, but think they do.
  3. A far more effective way to refuse cookies is to use your browser's incognito mode. Cookies will be stored in a temporary sandboxed environment to allow the website to retain its state while you're browsing it, but will then be cleared when you close the browser window at the end of your session.
  4. Cookies aren't the only way to track the state of a user's session within a website: a website could embed a unique code in each link on the page and the web server could track the user's visit by seeing those unique codes in each page request. But that gets confusing when users share links on social media; the website would recognnise the unique code assigned to you in the page address and suddenly think that everyone you shared the link with is also you. So cookies are better for uniquely identifying a user down to their web browser installation.