Understanding Website Cookies

Cookies are small text files that websites store on your device to remember information about you. They're essential for modern web functionality but also raise privacy concerns.

Types of Cookies

Cookie Compliance Requirements

EU Cookie Law (ePrivacy Directive)

• Obtain explicit consent before setting non-essential cookies
• Provide clear information about cookie purposes
• Allow users to reject cookies
• Do not prevent access if users reject non-essential cookies
• Keep records of consent

GDPR Requirements

• Cookies that process personal data must comply with GDPR
• Consent must be freely given, specific, informed, and unambiguous
• Pre-ticked boxes are not valid consent
• Users must be able to withdraw consent easily
• Cookie walls (blocking access without consent) are generally not allowed

Cookie Security Attributes

Secure Flag

The Secure attribute ensures cookies are only transmitted over HTTPS, protecting them from interception. All cookies on HTTPS sites should use this flag.

HttpOnly Flag

The HttpOnly attribute prevents JavaScript from accessing the cookie, protecting against XSS attacks. Authentication cookies should always use this flag.

SameSite Attribute

The SameSite attribute controls when cookies are sent with cross-site requests, protecting against CSRF attacks:

• Strict: Cookie only sent on same-site requests
• Lax: Cookie sent on top-level navigation
• None: Cookie sent on all requests (requires Secure)

How to Use This Tool

1. Enter URL: Input the website URL you want to scan
2. Run Scan: Click "Scan Cookies" to analyze the site
3. Review Results: Examine cookies by category and security attributes
4. Check Compliance: Verify consent mechanisms are in place for non-essential cookies
5. Implement Changes: Add cookie consent banners if needed
6. Document Cookies: Update your privacy policy with cookie information

Best Practices for Cookie Compliance

• Cookie Banner: Implement a clear cookie consent banner
• Granular Consent: Allow users to choose cookie categories
• Cookie Policy: Provide detailed information about each cookie
• Easy Opt-Out: Make it simple to withdraw consent
• No Cookie Walls: Don't block access for users who reject cookies
• Regular Audits: Scan your site regularly for new cookies
• Third-Party Cookies: Document cookies set by third-party services
• Consent Management Platform: Consider using tools like Cookiebot or OneTrust

Common Cookie Names and Purposes

Cookie Name	Purpose	Category
_ga	Google Analytics - User identification	Analytics
_gid	Google Analytics - Session identification	Analytics
_fbp	Facebook Pixel - Track conversions	Marketing
PHPSESSID	PHP Session - Maintain user state	Necessary
csrf_token	Security - Prevent CSRF attacks	Necessary
IDE	Google DoubleClick - Ad targeting	Marketing