0

I am new to web dev. I don't think web dev is difficult. As long as you find a good explanation, things are crystal clear.

Unfortunately most tutorials you came across are not doing a good job.

First-party cookie is very easy to understand.

I am having trouble understanding third-party cookies.

Why is it called third-party?

Who is the second party, which is being skipped here?

3
  • "a person or group besides the two primarily involved in a situation"
    – David
    Commented Mar 2, 2022 at 15:34
  • @David The two primarily involved in a situation is the website and me. First-party cookie is cookie set by the website. So second party cookie would be cookie set by myself. And since there is no such thing, any cookies set by another party would be third-party cookies. Is this right?
    – Kid_Learning_C
    Commented Mar 2, 2022 at 15:38
  • @David Say I am on website A, 3rd party cookies are set by some website X. But is website X able to set cookie for website A?
    – Kid_Learning_C
    Commented Mar 2, 2022 at 15:41

1 Answer 1

Reset to default
3

There is indeed a "second party", but it's impossible for them to set any cookies.

In a web request, there are two main parties:

  • The HTTP server, operating the website, which makes a response
  • The HTTP client, usually your web browser, which makes a request

In the terminology of a transaction, the server is closest to a "seller", so is termed the "first party"; the client is closets to a "customer", so is the "second party".

A "third party" is anyone other than these two main parties; in terms of web requests, these are actually other HTTP servers which are indirectly involved in serving the page.

So:

  • A "first-party cookie" is one set by the server you contacted directly
  • A "second-party cookie" would be one set by your own browser; but there's no such thing, so the term is never used
  • A "third-party cookie" is one set by some other server, which served an image, script, etc on the page

The important thing to remember here is that these terms are relative to a particular transaction: all cookies are scoped to the server which set them, and a server can never set or read a cookie for a different domain. The distinction is about what gave them the opportunity to set or read the cookie: did you directly request a page from that server, or did a page you request "incidentally" include some images, scripts, etc from somewhere else.

For instance, stackoverflow.com supports loading avatar images directly from facebook.com; those image requests can set and read cookies for facebook.com, and when I load stackoverflow.com those are "third-party cookies" - the first party is stackoverflow.com, the second party is me, so facebook.com is a third party. If I load facebook.com directly, those same cookies will be first-party cookies. At no point can the server at facebook.com set or read cookies for stackoverflow.com, or any other domain; it only ever sets and reads its own set of cookies.

5
  • Say I am on website A, 3rd party cookies are those set by some website X. But how is website X able to set cookie for website A? Wouldn't it be bad for security if any website can freely set arbitrary cookies for any other website on my browser? What if some evil website sets cookies for my online-banking.com?
    – Kid_Learning_C
    Commented Mar 2, 2022 at 15:45
  • @Kid_Learning_C See the extra 2 paragraphs I've added at the end.
    – IMSoP
    Commented Mar 2, 2022 at 15:47
  • Thank you! This is exactly what I mean: As long as you find a good explanation, things are crystal clear. I wish all tutorials online can be this clear. Thank you!
    – Kid_Learning_C
    Commented Mar 2, 2022 at 15:50
  • 1
    The last paragraph is gold.
    – Kid_Learning_C
    Commented Mar 2, 2022 at 16:29
  • A follow up question: Given websiteX.com, when I load the website in browser, how do I know which other domains have integrated images / gifs / icons , etc into the loaded webpage of websiteX.com? Of course I can open dev console and check all the http requests in networks section, but it is too much hassle and I wonder if there are any nice tools to just list these "integrated" domains for user to see.
    – Kid_Learning_C
    Commented Mar 3, 2022 at 7:06

Not the answer you're looking for? Browse other questions tagged or ask your own question.