Web Technologies

What are the 3 types of HTTP cookies? (2026 Guide)

By the Scrappey Research Team

What are the 3 types of HTTP cookies? (2026 Guide) — conceptual illustration
On this page

An HTTP cookie is a small piece of data a website asks your browser to store and then send back on every later request to that site. Because plain HTTP has no memory between requests, cookies are how a site remembers who you are - keeping you logged in, holding your cart, or tracking you across pages. The three main types are session, persistent, and third-party cookies. This 2026 guide explains each one.

Quick facts

SessionCleared when the browser closes
PersistentStored until an expiry date
Third-partySet by another domain (tracking)
Key attributesSecure, HttpOnly, SameSite
For scrapersPersist cookies across requests

1. Session Cookies

A session cookie is temporary: it lives only while the browser is open and disappears the moment you close it. It is the right choice for short-lived state that should not stick around, like the fact that you are currently logged in.

Characteristics

  • Temporary storage in browser memory
  • Deleted automatically when browser closes
  • No expiration date set
  • Most secure by default
  • Cannot be accessed by other browser tabs

Implementation Example

# Flask Session Cookie Example
from flask import Flask, session

app = Flask(__name__)
app.secret_key = 'your-secret-key'

@app.route('/login')
def login():
    session['user_id'] = '123'
    return 'Session cookie set'

Common Use Cases

  • User authentication sessions
  • Shopping cart data
  • Form wizard progress
  • Temporary preferences
  • Server-side session tracking

2. Persistent Cookies

A persistent cookie is saved to disk and carries an explicit expiry date, so it survives closing the browser and restarting the computer. It stays until that date passes (which can be years away), letting a site remember you across visits.

Characteristics

  • Stored on user's disk
  • Survive browser restarts
  • Have specific expiration date
  • Can last for years
  • Accessible until expiration

Implementation Example

// Setting a persistent cookie
document.cookie = 'username=john; expires=Thu, 18 Dec 2025 12:00:00 UTC; path=/'

// Reading persistent cookies
function getCookie(name) {
    const value = `; ${document.cookie}`;
    const parts = value.split(`; ${name}=`);
    if (parts.length === 2) return parts.pop().split(';').shift();
}

Common Use Cases

  • Remember me functionality
  • Language preferences
  • Theme settings
  • User tracking
  • Personalization features

3. Third-Party Cookies

A third-party cookie is set by a domain different from the site you are actually visiting - for example, an ad network or analytics service embedded in the page. Because the same outside domain can recognise you across many sites, these cookies are mainly used to track you across the web. Modern browsers increasingly block them, and privacy laws tightly restrict them.

Characteristics

  • Set by domains other than current website
  • Used for cross-site tracking
  • Often blocked by modern browsers
  • Subject to strict privacy laws
  • Require explicit user consent in many regions

Implementation Example

<!-- Third-party cookie from ad network -->
<script async src="https://ad-network.com/tracker.js"></script>

<!-- Google Analytics cookie setup -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
</script>

Common Use Cases

  • Advertising tracking
  • Analytics data collection
  • Social media widgets
  • Cross-site user tracking
  • Retargeting campaigns

Security Best Practices

Cookies often hold sensitive data like login sessions, so set them carefully. The flags below tell the browser how a cookie may be used.

1. Cookie Flags

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict
  • HttpOnly: Prevents JavaScript access
  • Secure: Only sent over HTTPS
  • SameSite: Controls cross-site behavior
  • Domain: Limits cookie scope
  • Path: Restricts cookie access path

In short: HttpOnly hides the cookie from page scripts so a cross-site scripting attack cannot steal it; Secure sends it only over HTTPS (encrypted) connections; and SameSite limits whether it travels on requests coming from other sites.

2. Implementation Guidelines

# Secure cookie setting in Python/Flask
from flask import make_response

@app.route('/set-cookie')
def set_secure_cookie():
    resp = make_response('Cookie set')
    resp.set_cookie(
        'user_id',
        'abc123',
        secure=True,
        httponly=True,
        samesite='Strict',
        max_age=3600  # 1 hour
    )
    return resp

3. Privacy Considerations

  • Implement cookie consent
  • Respect user preferences
  • Minimize data collection
  • Follow GDPR guidelines
  • Regular cookie cleanup

Debugging Tools

When cookies misbehave, inspect them from both sides: the browser (what the client stored) and the server (what it received).

1. Browser DevTools

// Console commands for cookie management
// List all cookies
console.log(document.cookie)

// Clear cookies
document.cookie.split(';').forEach(cookie => {
    document.cookie = cookie.replace(/^ +/, '').replace(/=.*/, '=;expires=' + new Date().toUTCString() + ';path=/');
});

2. Server-Side Inspection

# Flask route to inspect cookies
@app.route('/debug/cookies')
def debug_cookies():
    return {
        'cookies': request.cookies,
        'session': dict(session),
        'headers': dict(request.headers)
    }

Remember: Always handle cookies with security in mind and respect user privacy preferences. Stay updated with the latest browser policies and privacy regulations regarding cookie usage.

Related terms

What is HTTP? (Complete Guide 2026)
HTTP (HyperText Transfer Protocol) is the set of rules browsers and servers use to talk to each other on the web. Every time you load a page…
What is a REST API? (Complete Guide 2026)
A REST API is a standard way for programs to read and change data over the web using ordinary HTTP requests. This is the complete 2026 guide…
What Is a Web Scraping API?
A web scraping API is a hosted HTTP service that visits a web page for you and hands back the result — rendered HTML, JSON, or already-parse…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to tell automated traffic apart from real human visitors — and then block, challeng…
IPv4 vs IPv6
IPv4 and IPv6 are the two versions of the Internet Protocol that give every device online an address. Think of an IP address like a postal a…
How to Send and Receive JSON with curl
To POST JSON with curl, set the content type and pass the body: curl -X POST -H "Content-Type: application/json" -d '{"key":"value"}' https:…

Concept map

How What are the 3 types of HTTP cookies? (2026 Guide) connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Web Technologies
Building map…

Frequently asked questions

Why do scrapers need to handle cookies?

Sites store login state, anti-bot clearance tokens, and session IDs in cookies. If your scraper drops them, you look like a brand-new visitor on every request, which often triggers blocks.

What is the difference between session and persistent cookies?

Session cookies live only until the browser (or session) ends; persistent cookies carry an expiry date and survive restarts. Anti-bot clearance is often a short-lived persistent cookie.

Are third-party cookies relevant to scraping?

Rarely for the actual data extraction, but they power tracking and some anti-bot vendors. Browsers are phasing them out, so depending on them is fragile.

Last updated: 2026-05-31