Cookies are often referred to as text files. Even current data protection declarations propagate this myth. The truth is something else, as can be proven. Read on with the Cookie Conundrum: Separating Fact from Fiction.
Almost every privacy policy that refers to cookies describes cookies as text files. There you can read: “A cookie is a text file”. This statement could also be found in a privacy policy of a company I know. It was drawn up by a lawyer. How could he know any better, when even webmasters frequently have gaps in their knowledge here?.
What is a cookie?
In the past, cookies were typically or possibly always a text file. Each browser decides for itself how cookies are actually stored. In the past, many or possibly all browsers saved cookies as text files. However, this was pure coincidence, because there are numerous technical options for storing very small pieces of information, such as those for cookies. However, the theoretical size of a cookie is not the smallest.
Modern browsers store cookies differently now. For example, the Firefox browser for Windows uses a database. As database, Firefox chooses SQLite. SQLite is a file-based database.
How are cookies stored?
Sqlite stores, like any other classical SQL database, multiple data sets in a table. Several tables, on the other hand, form a database. A database is stored as a single file by Sqlite. But here too applies: A cookie is not a text file and also no file! The database is a file (mostly not a text file!), which again contains numerous cookies, but not in total, but only some information about them. Again, other information about cookies, which control the visibility, are stored in another database.
There is a whole range of such databases for Firefox. Here is an excerpt:
The database where cookies are stored has a file name cookies.sqlite. This is not a text file, but a binary file. Even if it were a text file: There is no cookie stored there, and all information about a cookie is also not stored! Often, multiple cookies are stored together in multiple files. In this case, a cookie (often) is distributed over several files.
The storage location can be opened in Firefox by entering about:support into the browser's address bar, pressing Enter and clicking on the “Open Folder” button (to the right of the label Profile folder)
Rather, the essential information on cookies is stored in the aforementioned database. These include:
- Name
- Value
- Domain
- Path
- Service life
- Flags such as HTTP yes/no, Secure yes/no, SameSite yes/no
Additional metadata are stored in other databases.
The cookie database contains entries such as the following:
As you can easily see, cookies are not text files.
Rather:
A cookie is a data set*.
A proper definition for cookies. Ideally, the purpose of the data set is added or executed on its own.
A quick spot check showed that every one of the (few) privacy policies I looked at was wrong about what cookies are. Remarkably, even providers of consent tools do not know what cookies really are. As I have shown, consent tools are unsuitable for creating privacy-compliant websites.
If you still want to claim that cookies are text files, please explain the following view from the alleged Firefox cookie text file:
The view appeared when opening the main file of the Firefox cookie database with the powerful editor Notepad++
Numerous characters, that cannot be displayed, can be recognized that are contained in one of the cookie database files. A text file is according to Wikipedia (and according to my healthy human understanding) a file that contains “representable characters”. The only exception is mentioned on Wikipedia as well: "These may be subdivided by control characters such as line and page breaks." The above view shows numerous characters that fall into none of these categories.
If one were to still call such files text files, every file would be a text file, which makes little sense. A file is also a form of storage that is determined by the browser. Nobody knows all the storage forms of all browsers. However, it is universally correct that a cookie is a data set or data storage or state storage, regardless of how each browser handles cookies. This results from the RFC 6265.
A cookie is not necessarily located in a file, but is often stored together with other cookies in several files (often not text files!).
Fact.
Cookies don't save files anyway, but data. A file has a name, is stored in a user-accessible file system in a directory and can be searched for via this file system as well as usually written to and read from. The data in cookies do not meet these criteria. See also the Wikipedia article on files. Cookies are rather somehow managed (how, that's up to the browser). I could even write my own browser which manages the cookies so that nobody except my browser sees the cookies that the browser manages.
It may help you to make a decision if you consider that the privacy policies of the following websites classify cookies as text files (as at: 18.01.2021):
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
