150

I have read this question here: How Do Internet Advertisers Use Third-Party Cookies? on how third-party tracking cookies work, but am still very confused. I don't understand how if I visit Website A (a normal website with ads) how Website B (an advertising website) can assign my computer an ID, and then figure out that I was on website A, and other websites after it that have its ads.

1 Answer 1

Reset to default
317

First, cookies are set and retrieved through HTTP headers. If your browser sends a request to http://example.com, then the response might come back with a header that says Set-Cookie: foo=bar. Your browser stores this cookie, and on any subsequent requests to http://example.com, your browser will send foo=bar in the Cookie header. (Or at least until the cookie expires or is deleted.) The browser sends the foo=bar cookie with any request to http://example.com, regardless of who initiated the request or what the context is. If http://2.example contains the tag <img src="http://example.com/img.jpg">, then the browser will send the cookie foo=bar when it fetches http://example.com/img.jpg, even though http://2.example is responsible for the request being sent.

So, if website A contains an ad that is served by website B, then website B can set a cookie in your browser. For example, maybe website A uses <iframe src="http://websiteB.example/ad.html></iframe> to serve the ad from website B. Then when your browser goes to fetch http://websiteB.example/ad.html, the response will come back with a Set-Cookie header that sets a cookie with some unique random string. If website C also includes an ad from website B, then that unique cookie will be sent when the ad on website C is fetched from website B.

As far as how website B knows which actual website you're visiting, there are a variety of ways. In some cases, when the browser sends a request to one website, it tells the website which website you're coming from. So when the browser goes to fetch http://websiteB.example/ad.html, it might include the HTTP header Referer: http://websiteA.example that tells website B that the request was initiated by website A. Every time website B sees the unique random string that it assigned to you, it can check the Referer header to add to its log of where you've been. If website A is cooperating with website B, A can just directly tell B that you're coming from website A. For example, website A could include the ad from website B by using <iframe src="http://websiteB.example/ad.html?referer=websiteA.example">, and then website B will see the referer in the query string.

7
  • 4
    Hi Emily :) Thanks very much for the detailed answer !! I have just some questions : first, website A doesn't cooperate with site B, is there an alternate mechanism that let website B which site I'm coming from ? Second, is there any other tools for third party tracking apart from cookies ?
    – mounaim
    Commented Jun 4, 2015 at 9:57
  • 6
    @mounaim: To your first question: If A does not cooperate with B, it wouldn't include any tracking code of B in its website. So tracking is logically impossible. To your second question: Yes, there are plenty of methods for tracking except cookies. A good start for research might be EverCookie samy.pl/evercookie. For instance HTML5's localStorage can be also used to store and retrieve identifiers. Furthermore, it is also possible to do it covertly with browser fingerprinting panopticlick.eff.org. If you want to know more, you can leave me a message to get plenty of material.
    – Thorben
    Commented Aug 14, 2015 at 21:32
  • 2
    @Thorben unless of course your browser uses the Referrer HTTP header.
    – nhooyr
    Commented Sep 7, 2015 at 1:41
  • 1
    @aubble It's true. Referrers can reveal the last visited site. However, in the context of tracking, website A would still need to include a link to website B. Hence, placing a link to website B on website A is kind of a cooperation. When looking at advertising networks etc. that might depend on the point of view.
    – Thorben
    Commented Sep 7, 2015 at 17:21
  • > For example, maybe website A uses <iframe src="websiteB.com/ad.html></iframe> to serve the ad from website B. Then when your browser goes to fetch websiteB.com/ad.html, the response will come back with a Set-Cookie header that sets a cookie with some unique random string Website B will set in cookies with some unique random string. I'm wondering which domain it will set this "shared" domain?
    – truongnm
    Commented Feb 3, 2020 at 9:29

Not the answer you're looking for? Browse other questions tagged or ask your own question.