{"id":54243,"date":"2025-09-02T07:44:25","date_gmt":"2025-09-02T11:44:25","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=54243"},"modified":"2025-09-02T08:22:00","modified_gmt":"2025-09-02T12:22:00","slug":"types-of-cookie-files-and-how-to-protect-them","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/54243\/","title":{"rendered":"Taking the biscuit: why hackers like cookies so much"},"content":{"rendered":"<p>Open any website, and the first thing you\u2019ll likely see is a pop-up notification about the use of cookies. You\u2019re usually given the option to accept all cookies, accept only necessary ones, or flatly reject them. Regardless of your choice, you probably won\u2019t notice a difference, and the notification disappears from the screen anyway.<\/p>\n<p>Today, we dive a little deeper into the cookie jar: what cookies are for, what types exist, how attackers can intercept them, what the risks are, and how to stay safe.<\/p>\n<h2>What are cookies?<\/h2>\n<p>When you visit a website, it sends a cookie to your browser. This is a small text file that contains data about you, your system, and the actions you\u2019ve taken on the site. Your browser stores this data on your device and sends it back to the server every time you return to that site. This simplifies your interaction with the site: you don\u2019t have to log in on every single page; sites remember your display settings; online stores keep items in your cart; streaming services know at which episode you stopped watching \u2014 the benefits are limitless.<\/p>\n<p>Cookies can store your login, password, security tokens, phone number, residential address, bank details, and session ID. Let\u2019s take a closer look at the session identifier.<\/p>\n<p>A <strong>session ID<\/strong> is a unique code assigned to each user when they sign in to a website. If a third party manages to intercept this code, the web server will see them as a legitimate user. Here\u2019s a simple analogy: imagine you can enter your office by means of an electronic pass with a unique code. If your pass is stolen, the thief \u2014 whether they look like you or not \u2014 can open any door you have access to without any trouble. Meanwhile, the security system will believe that it\u2019s you entering. Sounds like a scene from a crime TV show, doesn\u2019t it? The same thing happens online: if a hacker steals a cookie with your session ID, they can sign in to a website you were already signed in to, under your name, without needing to enter a username and password; sometimes they can even bypass two-factor authentication. In 2023, hackers stole all three of the YouTube channels of the famous tech blogger Linus Sebastian \u2013 \u201cLinus Tech Tips\u201d and two other Linus Media Group YouTube channels with tens of millions of subscribers \u2014 and this is exactly how they did it. We\u2019ve already <a href=\"https:\/\/www.kaspersky.com\/blog\/youtubers-takeovers\/48375\/\" target=\"_blank\" rel=\"noopener nofollow\">covered that case in detail<\/a>.<\/p>\n<h2>What types of cookies are there?<\/h2>\n<p>Now let\u2019s sort through the different cookie varieties. All cookies can be classified according to a number of characteristics.<\/p>\n<h4>By storage time<\/h4>\n<ul>\n<li><strong>Temporary, or session cookies. <\/strong>These are only used while you\u2019re on the website. They\u2019re deleted as soon as you leave. They\u2019re required for things like keeping you signed in as you navigate from page to page, or remembering your selected language and region.<\/li>\n<li><strong>Persistent cookies. <\/strong>These remain on your device after you leave the site. They spare you the need to accept or decline cookie policies every time you visit. They typically last for about a year.<\/li>\n<\/ul>\n<p>It\u2019s possible for session cookies to become persistent. For example, if you check a box like \u201cRemember me\u201d, \u201cSave settings\u201d, or some such on a website, the data will be saved in a persistent cookie.<\/p>\n<h4>By source<\/h4>\n<ul>\n<li><strong>First-party cookies. <\/strong>These are generated by the website itself. They allow the website to function properly and visitors to get a proper experience. They may also be used for analytics and marketing purposes.<\/li>\n<li><strong>Third-party cookies. <\/strong>These are collected by external services. They\u2019re used to display ads and collect advertising statistics, among other things. This category also includes cookies from analytics services like Google Analytics and social media platforms. These cookies store your sign-in credentials, allowing you to like a page or share content on social media with a single click.<\/li>\n<\/ul>\n<h4>By importance<\/h4>\n<ul>\n<li><strong>Required, or essential cookies. <\/strong>These support core website features, such as selling products on an e-commerce platform. In this case, each user has a personal account, and essential cookies store their login, password, and session ID.<\/li>\n<li><strong>Optional cookies. <\/strong>These are used to track user behavior and help tailor ads more precisely. Most optional cookies belong to external parties and don\u2019t affect your ability to use all of the site\u2019s features.<\/li>\n<\/ul>\n<h4>By storage technology<\/h4>\n<ul>\n<li>These cookies are stored in text files in the browser\u2019s standard storage. When you clear your browser data, they\u2019re deleted, and after that, the websites that sent them will no longer recognize you.<\/li>\n<li>There are two special subtypes: <strong>supercookies<\/strong> and <strong>evercookies<\/strong>, which store data in a non-standard way. Supercookies are embedded in website headers and stored in non-standard locations, which allows them to avoid being deleted by the browser\u2019s cleanup function. Evercookies can be restored using JavaScript even after being deleted. This means they can be used for persistent and difficult-to-control <a href=\"https:\/\/www.kaspersky.com\/blog\/web-beacons-explained-and-how-to-stop-them\/47281\/\" target=\"_blank\" rel=\"noopener nofollow\">user tracking<\/a>.<\/li>\n<\/ul>\n<p>The same cookie can fall into multiple categories: for example, most optional cookies are third-party, while required cookies include temporary ones responsible for the security of a specific browsing session. For more details on how and when all these types of cookies are used, <a href=\"https:\/\/securelist.com\/cookies-and-session-hijacking\/117390\/\" target=\"_blank\" rel=\"noopener\">read the full report on Securelist<\/a>.<\/p>\n<h2>How session IDs are stolen through session hijacking<\/h2>\n<p>Cookies that contain a session ID are the most tempting targets for hackers. Theft of a session ID is also known as <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/session-theft-session-hijacking\/\" target=\"_blank\" rel=\"noopener\">session hijacking<\/a>. Let\u2019s examine some of the most interesting and widespread methods.<\/p>\n<h4>Session sniffing<\/h4>\n<p>Session hijacking is possible by monitoring or \u201csniffing\u201d the internet traffic between the user and the website. This type of attack happens on websites that use the less secure <a href=\"https:\/\/en.wikipedia.org\/wiki\/HTTPS\" target=\"_blank\" rel=\"nofollow noopener\">HTTP<\/a> protocol instead of HTTPS. With HTTP, cookie files are transmitted in plain text within the headers of HTTP requests, meaning they\u2019re not encrypted. A malicious actor can easily intercept the traffic between you and the website you\u2019re on, and extract cookies.<\/p>\n<p>These attacks often occur on public Wi-Fi networks, especially if not protected by either the WPA2 or WPA3 protocols. For this reason, we <a href=\"https:\/\/www.kaspersky.com\/blog\/how-safe-is-wi-fi-in-paris\/51772\/\" target=\"_blank\" rel=\"noopener nofollow\">recommend<\/a> exercising extreme caution with public hotspots. It\u2019s much safer to use mobile data. If you\u2019re traveling abroad, it\u2019s a good idea to use an <a href=\"https:\/\/kasperskyesimstore.com\/?icid=gl_kdailyplacehold_acq_ona_smm__all_b2c_kdaily_wpplaceholder_sm-team_______8dead1012a676d5b\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky eSIM Store<\/a>.<\/p>\n<h4>Cross-site scripting (XSS)<\/h4>\n<p><a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/cross-site-scripting-xss\/\" target=\"_blank\" rel=\"noopener\">Cross-site scripting<\/a> consistently ranks among the top web-security vulnerabilities, and with good reason. This type of attack allows malicious actors to gain access to a site\u2019s data \u2014 including the cookie files that contain the coveted session IDs.<\/p>\n<p>Here\u2019s how it works: the attacker finds a vulnerability in the website\u2019s source code and injects a malicious script; that done, all that remains is for you to visit the infected page and you can kiss your cookies goodbye. The script gains full access to your cookies and sends them to the attacker.<\/p>\n<h4>Cross-site request forgery (CSRF\/XSRF)<\/h4>\n<p>Unlike other types of attacks, <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/cross-site-request-forgery-csrf-xsrf\/\" target=\"_blank\" rel=\"noopener\">cross-site request forgery<\/a> exploits the trust relationship between a website and your browser. An attacker tricks an authenticated user\u2019s browser into performing an unintended action without their knowledge, such as changing a password or deleting data like uploaded videos.<\/p>\n<p>For this type of attack, the threat actor creates a web page or email containing a malicious link, HTML code, or a script with a request to the vulnerable website. Simply opening the page or email, or clicking the link, is enough for the browser to automatically send the malicious request to the target site. All of your cookies for that site will be attached to the request. Believing that it was you who requested, say, the password change or channel deletion, the site will carry out the attackers\u2019 request on your behalf.<\/p>\n<p>That\u2019s why we recommend not opening links received from strangers, and installing a <a href=\"https:\/\/www.kaspersky.com\/password-manager?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Password Manager<\/a>\u00a0that can alert you to malicious links or scripts.<\/p>\n<h4>Predictable session IDs<\/h4>\n<p>Sometimes, attackers don\u2019t need to use complex schemes \u2014 they can simply guess the session ID. On some websites, session IDs are generated by predictable algorithms, and might contain information like your IP address plus an easily reproducible sequence of characters.<\/p>\n<p>To pull off this kind of attack, hackers need to collect enough sample IDs, analyze them, and then figure out the generating algorithm to predict session IDs on their own.<\/p>\n<p>There are other ways to steal a session ID, such as <strong>session fixation<\/strong>, <strong>cookie tossing<\/strong>, and <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/man-in-the-middle-attack\/\" target=\"_blank\" rel=\"noopener\"><strong>man-in-the-middle (MitM)<\/strong><\/a> attacks. These methods are covered in our <a href=\"https:\/\/securelist.com\/cookies-and-session-hijacking\/117390\/\" target=\"_blank\" rel=\"noopener\">dedicated Securelist post<\/a>.<\/p>\n<h2>How to protect yourself from cookie thieves<\/h2>\n<p>A large part of the responsibility for cookie security lies with website developers. We provide tips for them in our <a href=\"https:\/\/securelist.com\/cookies-and-session-hijacking\/117390\/\" target=\"_blank\" rel=\"noopener\">full report on Securelist<\/a>.<\/p>\n<p>But there are some things we can all do to stay safe online.<\/p>\n<ul>\n<li><strong>Only enter personal data on websites that use the HTTPS protocol.<\/strong> If you see \u201cHTTP\u201d in the address bar, don\u2019t accept cookies or submit any sensitive information like logins, passwords, or credit card details.<\/li>\n<li><strong>Pay attention to browser alerts. <\/strong>If you see a warning about an invalid or suspicious security certificate when you visit a site, close the page immediately.<\/li>\n<li><strong>Update your browsers regularly or enable automatic updates.<\/strong> This helps protect you from known vulnerabilities.<\/li>\n<li><strong>Regularly clear browser cookies and cache.<\/strong> This prevents old, potentially leaked cookie files and session IDs from being exploited. Most browsers have a setting to automatically delete this data when you close them.<\/li>\n<li><strong>Don\u2019t follow suspicious links. <\/strong>This is especially true of links received from strangers in a messaging app or by email. If you have a hard time telling the difference between a legitimate link and a phishing one, install a <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Premium<\/a>\u00a0that can alert you before you visit a malicious site.<\/li>\n<li><strong>Enable<\/strong> <a href=\"https:\/\/www.kaspersky.com\/blog\/best-authenticator-apps-2022\/43261\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>two-factor authentication<\/strong><\/a> <strong>(2FA) wherever possible.<\/strong> <a href=\"https:\/\/www.kaspersky.com\/password-manager?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Password Manager<\/a>\u00a0is a convenient way to store 2FA tokens and generate one-time codes. It syncs them across all your devices, which makes it much harder for an attacker to access your account after a session has ended \u2014 even if they steal your session ID.<\/li>\n<li><strong>Refuse to accept all cookies on all websites.<\/strong> Accepting every cookie from every site isn\u2019t the best strategy. Many websites now offer a choice between accepting all and accepting only essential cookies. Whenever possible, choose the \u201crequired\/essential cookies only\u201d option, as these are the ones the site needs to function properly.<\/li>\n<li><strong>Connect to<\/strong> <a href=\"https:\/\/www.kaspersky.com\/blog\/how-safe-is-wi-fi-in-paris\/51772\/\" target=\"_blank\" rel=\"noopener nofollow\"><strong>public Wi-Fi networks<\/strong><\/a> <strong>only as a last resort.<\/strong> They are often poorly secured, which attackers take advantage of. If you have to connect, avoid signing in to social media or messaging accounts, using online banking, or accessing any other services that require authentication.<\/li>\n<\/ul>\n<blockquote><p>Want to know even more about cookies? Read these articles:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-block-cookies-in-chrome-safari-firefox-edge\/43505\/\" target=\"_blank\" rel=\"noopener nofollow\">How to block cookies in your browser<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/mozilla-privacy-preserving-attribution-explained\/51997\/\" target=\"_blank\" rel=\"noopener nofollow\">Privacy-Preserving Attribution technology by Mozilla<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/rc3-fpmon-browser-fingerprinting\/38369\/\" target=\"_blank\" rel=\"noopener nofollow\">How to tell if a website is taking your (browser) fingerprints<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-control-your-cookies\/43303\/\" target=\"_blank\" rel=\"noopener nofollow\">How to control cookies: a real-world experiment<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/googerteller-sound-of-trackers\/51186\/\" target=\"_blank\" rel=\"noopener nofollow\">The sound of online trackers<\/a><\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>We explain how cyberattackers intercept cookies, the role of the session ID, and how to keep your cookies from going over to the dark side.<\/p>\n","protected":false},"author":2747,"featured_media":54246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1788,9],"tags":[810,1278,404,43,321,812,399],"class_list":{"0":"post-54243","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-tips","9":"tag-ads","10":"tag-browsers","11":"tag-cookies","12":"tag-privacy","13":"tag-technology","14":"tag-tracking","15":"tag-websites"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/54243\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/types-of-cookie-files-and-how-to-protect-them\/29512\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/24616\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/12786\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/types-of-cookie-files-and-how-to-protect-them\/29443\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/28552\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/types-of-cookie-files-and-how-to-protect-them\/31382\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/types-of-cookie-files-and-how-to-protect-them\/30053\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/types-of-cookie-files-and-how-to-protect-them\/40395\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/types-of-cookie-files-and-how-to-protect-them\/13751\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/types-of-cookie-files-and-how-to-protect-them\/23140\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/types-of-cookie-files-and-how-to-protect-them\/32627\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/types-of-cookie-files-and-how-to-protect-them\/29623\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/types-of-cookie-files-and-how-to-protect-them\/35371\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/types-of-cookie-files-and-how-to-protect-them\/35000\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/privacy\/","name":"privacy"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/54243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2747"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=54243"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/54243\/revisions"}],"predecessor-version":[{"id":54251,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/54243\/revisions\/54251"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/54246"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=54243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=54243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=54243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}