How do Third-Party "tracking cookies" work?
I have read this question here: How Do Internet Advertisers Use Third-Party Cookies? on how third-party tracking cookies work, but am still very confused. I don't understand how if I visit Website A (a normal website with ads) how Website B (an advertising website) can assign my computer an ID, and then figure out that I was on website A, and other websites after it that have its ads.
First, cookies are set and retrieved through HTTP headers. If your browser sends a request to http://example.com, then the response might come back with a header that says Set-Cookie: foo=bar
. Your browser stores this cookie, and on any subsequent requests to http://example.com, your browser will send foo=bar
in the Cookie
header. (Or at least until the cookie expires or is deleted.) The browser sends the foo=bar
cookie with any request to http://example.com, regardless of who initiated the request or what the context is. If http://example2.com contains the tag <img src="http://example.com/img.jpg">
, then the browser will send the cookie foo=bar
when it fetches http://example.com/img.jpg, even though http://example2.com is responsible for the request being sent.
So, if website A contains an ad that is served by website B, then website B can set a cookie in your browser. For example, maybe website A uses <iframe src="http://websiteB.com/ad.html></iframe>
to serve the ad from website B. Then when your browser goes to fetch http://websiteB.com/ad.html
, the response will come back with a Set-Cookie
header that sets a cookie with some unique random string. If website C also includes an ad from website B, then that unique cookie will be sent when the ad on website C is fetched from website B.
As far as how website B knows which actual website you're visiting, there are a variety of ways. In some cases, when the browser sends a request to one website, it tells the website which website you're coming from. So when the browser goes to fetch http://websiteB.com/ad.html
, it might include the HTTP header Referer: http://websiteA.com
that tells website B that the request was initiated by website A. Every time website B sees the unique random string that it assigned to you, it can check the Referer header to add to its log of where you've been. If website A is cooperating with website B, A can just directly tell B that you're coming from website A. For example, website A could include the ad from website B by using <iframe src="http://websiteB.com/ad.html?referer=websiteA.com">
, and then website B will see the referer in the query string.
Does that help? Are there particular parts of the answer you linked that don't make sense to you?