What is a browser cookie?
A browser cookie is a text file that websites create and maintain on a website visitor’s computer. They are also known as HTTP cookies, web cookies, internet cookies, or cookies.
Within the text file, websites write and update information that helps them personalize the visitor’s experience. The actual information contained within the browser cookie file can vary from one website to another, and can include some or all of the following:
- Authentication and session details – Users’ authentication and session details are hashed and saved in the cookie file, allowing the user to access the website without logging in every time. Note that authentication details are not credentials, but information that the website uses to identify the logged-in user.
- Browsing information – Browsing information can contain historical information such as which pages the visitor visited, items added to a cart, and any details they used in forms such as name and e-mail address. Companies that own many websites may also use cookies to track activities across their different websites.
- Advertising information – Some websites will also include third-party advertising cookies to show personalized adverts based on visitors’ browsing behaviors.
Why are browser cookies important on a WordPress website?
WordPress’ primary use of cookies is to authenticate and authorize users. Since WordPress is a stateless application, users send their cookies with every click, making them an integral part of the process, simulating a user session.
WordPress also uses cookies to personalize and facilitate the experience of visitors. WordPress plugins may also use WordPress cookies to personalize experiences and may even create their own.
Cookies get a bad reputation because they can be used to track users. This does not mean that they’re bad. For the most part, they are there to help users avoid having to re-enter the same information multiple times, saving time and frustration.
Data protection laws, most notably Europe’s GDPR (read GDPR and WordPress for more information on this particular set of compliance regulations), mandate that websites get consent from users regarding any data collection that may take place. The introduction of GDPR has seen websites, including WordPress websites, use opt-in pop-ups giving users the option to opt-in or out of any data collection, which would usually be handled through cookies.
How browser cookies work on WordPress
Generally, WordPress maintains two types of cookies, called session cookies and comments cookies. Each of these cookies serves a different purpose, which makes them quite different.
Session cookies
Session cookies are used for WordPress users who can log in to WordPress. Session cookies contain authentication information as well as admin area settings. These cookies expire after 48 hours.
Comments cookies
Comments cookies are created whenever someone writes a comment on a WordPress website. Comments cookies include details such as name, email address, and URL, allowing WordPress to automatically fill in these details whenever a comment is written. These cookies expire after 347 days.
Other cookies on WordPress websites
Plugins and analytics software such as Google Analytics may also use cookies to track user behavior, preferences, and settings, among other things. WordPress administrators need to be aware of the cookies their website generates and make sure consent is obtained to collect such information, especially if accepting users from EU countries.
How to keep cookies safe
Stolen cookies can be used to hijack sessions. For the most part, this is done through exploiting a Cross-Site Scripting vulnerability on a vulnerable website. Here, attackers inject malicious scripts, which when accessed, steal the user’s cookies. Risks of such attacks are higher when visiting untrustworthy websites, which may be more susceptible to such attacks.
Therefore, it is important to not click on suspicious links and avoid untrustworthy websites.
It is equally important to log out whenever you are ready from using WordPress, thereby terminating the session. This deletes the session cookies, which means there are no risks of someone stealing your cookies and hijacking your session. The only hindrance to this is that you have to type in the username and password to initiate a new session. However, if you use a password manager (highly recommended) this should not be an issue.
