142

I have read this question here: How Do Internet Advertisers Use Third-Party Cookies? on how third-party tracking cookies work, but am still very confused. I don't understand how if I visit Website A (a normal website with ads) how Website B (an advertising website) can assign my computer an ID, and then figure out that I was on website A, and other websites after it that have its ads.

Community
  • 1
  • 1
JosephG
  • 3,111
  • 6
  • 33
  • 56

1 Answers1

302

First, cookies are set and retrieved through HTTP headers. If your browser sends a request to http://example.com, then the response might come back with a header that says Set-Cookie: foo=bar. Your browser stores this cookie, and on any subsequent requests to http://example.com, your browser will send foo=bar in the Cookie header. (Or at least until the cookie expires or is deleted.) The browser sends the foo=bar cookie with any request to http://example.com, regardless of who initiated the request or what the context is. If http://2.example contains the tag <img src="http://example.com/img.jpg">, then the browser will send the cookie foo=bar when it fetches http://example.com/img.jpg, even though http://2.example is responsible for the request being sent.

So, if website A contains an ad that is served by website B, then website B can set a cookie in your browser. For example, maybe website A uses <iframe src="http://websiteB.example/ad.html></iframe> to serve the ad from website B. Then when your browser goes to fetch http://websiteB.example/ad.html, the response will come back with a Set-Cookie header that sets a cookie with some unique random string. If website C also includes an ad from website B, then that unique cookie will be sent when the ad on website C is fetched from website B.

As far as how website B knows which actual website you're visiting, there are a variety of ways. In some cases, when the browser sends a request to one website, it tells the website which website you're coming from. So when the browser goes to fetch http://websiteB.example/ad.html, it might include the HTTP header Referer: http://websiteA.example that tells website B that the request was initiated by website A. Every time website B sees the unique random string that it assigned to you, it can check the Referer header to add to its log of where you've been. If website A is cooperating with website B, A can just directly tell B that you're coming from website A. For example, website A could include the ad from website B by using <iframe src="http://websiteB.example/ad.html?referer=websiteA.example">, and then website B will see the referer in the query string.

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Emily
  • 5,869
  • 1
  • 22
  • 15
  • 4
    Hi Emily :) Thanks very much for the detailed answer !! I have just some questions : first, website A doesn't cooperate with site B, is there an alternate mechanism that let website B which site I'm coming from ? Second, is there any other tools for third party tracking apart from cookies ? – mounaim Jun 04 '15 at 09:57
  • 6
    @mounaim: To your first question: If A does not cooperate with B, it wouldn't include any tracking code of B in its website. So tracking is logically impossible. To your second question: Yes, there are plenty of methods for tracking except cookies. A good start for research might be EverCookie http://samy.pl/evercookie/. For instance HTML5's localStorage can be also used to store and retrieve identifiers. Furthermore, it is also possible to do it covertly with browser fingerprinting https://panopticlick.eff.org/. If you want to know more, you can leave me a message to get plenty of material. – Thorben Aug 14 '15 at 21:32
  • 2
    @Thorben unless of course your browser uses the Referrer HTTP header. – nhooyr Sep 07 '15 at 01:41
  • 1
    @aubble It's true. Referrers can reveal the last visited site. However, in the context of tracking, website A would still need to include a link to website B. Hence, placing a link to website B on website A is kind of a cooperation. When looking at advertising networks etc. that might depend on the point of view. – Thorben Sep 07 '15 at 17:21
  • > For example, maybe website A uses – truongnm Feb 03 '20 at 09:29
  • Hi, Is this answer still relevant with third party cookie deprecated by major browsers? – Kay May 29 '21 at 14:41
  • Along with the referrer header, website B could see information regarding the context of the request with fetch metadata. Fetch metadata is supported by nearly all browsers. https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header – Liz Apr 13 '23 at 15:27