When a cookie is created during a website visit, it is stored:

Types of cookies

There are multiple types of cookies that run in modern web browsers. Different types of cookies have specific use cases to enable certain capabilities.

• HTTP cookies. This is the overall category of computer cookies used with modern web browsers to enable specific capabilities. All the cookies in this list -- except for flash cookies -- are forms of HTTP cookies.
• Session cookies. A session cookie is only persistent while the user is navigating or visiting a given website.
• Persistent cookies. Also sometimes referred to as permanent cookies, these persist for a configurable length of time or until a certain date that is set by the web server.
• First-party cookies. Also known as SameSite cookies, the cookie and information it contains is restricted to the same site on which it was set.
• Third-party cookies. These cookies are not restricted to the initial site where the cookie was created. Third-party cookies enable entities other than the original site to access them for user tracking and personalization purposes.
• Zombie cookies. This refers to a type of cookie that persists, even after the user attempts to delete it.
• Flash cookies. These are not browser or HTTP cookies but, rather, a specific type of cookie that works with Adobe Flash. With the decline in the use of Flash, these cookies are no longer widely used.
• Secure cookies. These are first- and third-party cookies that can only be sent over encrypted HTTPS connections.

Are cookies safe?

Cookies have been part of daily internet operations for decades and are generally safe. However, third-party cookies are sometimes seen as intrusive.

Third-party cookies enable entities to track user behavior in a way the user might not be aware of -- and they may infringe upon the user's privacy. Advertisers often use third-party cookies to track user activity to provide targeted ads to the user. This is a privacy concern for many who don't want to be tracked or have their browsing habits shared. Cookies that can identify users are now subject to General Data Protection Regulation and California Consumer Privacy Act regulations.

View alternatives for providing targeted advertising to internet users here.

There is also the potential for threat actors to hijack third-party cookies. This would give them access to user information and enable them to launch other attacks. These attacks include session hijacking, cross-site scripting and cross-site request forgery.

Unsecured cookies can also be a potential security risk for users and website operators. An unsecured cookie is transmitted unencrypted over HTTP to the origin website or to a third party. If the information is something simple -- such as whether the user has visited the site before -- that's a minimal risk. But some sites may use cookies to store user information -- including personally identifiable information such as authentication credentials and payment card information. If that type of information is sent unencrypted, it can be intercepted and used by a criminal. A secure cookie only enables cookie information to be sent via HTTPS and does not have the same risk.

Learn how to encrypt and secure a website using HTTPS here.

How to manage cookies

Every major web browser has a set of controls to help users configure what types of cookies to accept and delete. Cookies can be managed via user preferences.

A cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Cookies are used to tell the server that users have returned to a particular website. When users return to a website, a cookie provides information and allows the site to display selected settings and targeted content.

Cookies also store information such as shopping cart contents, registration or login credentials, and user preferences. This is done so that when users revisit sites, any information that was provided in a previous session or any set preferences can be easily retrieved.

Advertisers use cookies to track user activity across sites so they can better target ads. While this particular practice is usually offered to provide a more personalized user experience, some people also view this as a privacy concern.

History

The cookie was created in 1994 by Lou Montulli of Netscape Communications to create a more seamless experience for people making commercial transactions online. The term "cookie" was derived from an earlier programming term, "magic cookie," which was a packet of data programs that kept data unchanged even after being sent and received several times.

Type of Cookies

Session cookie 

Session cookies are also known as transient cookies or per-session cookies. Session cookies store information while the user is visiting the website. These cookies are deleted once the user closes the session.

Persistent cookie 

Persistent cookies are stored for a specific length of time. These cookies remain on your device until they expire or are deleted. Persistent cookies are sometimes called tracking cookies because they are used to collect user information such as browsing habits and preferences.

First-party and third-party cookies 

First-party cookies are cookies set by websites that users directly visit. These cookies often store information that is relevant or related to the site, such as preferred settings or user location.

Third-party cookies are cookies that come alongside third-party content, such as embedded videos, ads, web banners, and scripts, on a visited website that users visit. Advertisers often use third-party cookies to track user behavior.

Supercookie 

Supercookies are similar to session cookies in that they also track user behavior and browsing history. However, they also have the ability to re-create user profiles, even after regular cookies have been deleted. Supercookies are also stored in different places than standard cookies. This makes detecting and removing them more difficult for the average user.  Supercookies are sometimes called "zombie cookies" or "evercookies."

Flash cookie 

Flash cookies or "local shared objects" [LSOs] are data files that are stored on computers by websites that use Adobe® Flash®. Like browser cookies, Flash cookies can store user information in Flash applications. Flash cookies are sometimes used by sites as "backup" once the browser cookie is deleted.

Security and privacy risks

While cookies cannot carry or install malware onto computers, they can be exploited by cybercriminals for their malicious schemes. Notable cases are listed below:

• In November 2010, the Koobface worm was observed searching for cookies related to Facebook and using the stolen credentials to log in to victims’ accounts.
• In May 2011, an Internet Explorer® zero-day bug was exploited to hijack session cookies using social engineering tactics.
• In July 2011, an attack on numerous e-commerce websites used a malware that searches for internet caches, cookies, and browsing histories in order to steal login credentials and other data.

Cookies have long been viewed as having serious implications with user privacy. In 1996 and 1997, cookies were the topic of the US Federal Trade Commission hearings. The Internet Engineering Task Force [IETF] formed a special working group to address the specifications of cookies. In February 1997, the IETF specified that third-party cookies were not allowed, or at least enabled by default. This recommendation was superseded in October 2000. The newer standard in 2011 allows the use of third-party cookies, but users can choose to not accept them.

Other efforts to address possible privacy issues include the "Do Not Track [DNT]" header mechanism for browsers. Once enabled, the DNT header will notify that users do not want to be tracked and that any tracking or cross-site user tracking must be disabled. Mozilla Firefox® was the first browser to implement the feature, followed by Internet Explorer, Safari®, Opera, and Google Chrome™.

What should users do?

• Tweak built-in browser settings to delete and manage cookies, or enable third-party cookie blocking.
• Opt not to use cookies in websites (though this can limit functionality)

Links:

http://blog.trendmicro.com/cookies-not-just-for-dessert/

http://www.nytimes.com/2001/09/04/technology/04COOK.html

http://www.nytimes.com/2010/09/21/technology/21cookie.html?_r=3&

http://blog.trendmicro.com/customized-malware-attacks-becoming-widespread/

http://blog.trendmicro.com/trendlabs-security-intelligence/contrary-to-reports-cookiejacking-presents-a-major-risk

When a cookies is created during a website visit is it stored?

What data is stored in cookies?

How cookies are created?

What is a cookie How are they used on Internet?