Let’s say you want to do some online shopping. You go to a web site, look at a few items, and put one into your shopping cart. If the web site couldn’t tell who you are from page to page, as soon as you click on “check out” your shopping cart would disappear. You would never be able to make a purchase, because there would be no way* to make the web site know that the person who asked for the shopping cart page is the same person who added the item to the cart.
Perhaps you are buying anything today, but you are logging in to Facebook instead. Cookies are how Facebook matches you up to the person who logged in. This lets Facebook show you your updates, and only your updates.
Cookies can also be used to make your web browsing a little faster. Some web sites will show you a different version depending on your country. Small and medium-sized websites look up your IP address’ country from a public online database, and this is a relatively slow process. (Plus, they have to pay if there are too many look ups in a day.) If the web site sets a cookie after the first look up, it can keep track of your country and show you the right version without doing any more look ups.
Cookies are also frequently used when you fill out a form on the web or request information that’s in a database. One way to do this is with a query string — if you see a ? in the URL, a query string has been used. One problem with query strings is not much information can be sent. A bigger problem is that users can guess at other query strings because they see what’s being sent. If you fill out a form and see that the URL you go to is http://www.example.com/mypage?userid=1234, there’s nothing to stop you from changing that URL to http://www.example.com/mypage?userid=1235 and accessing that user’s information. This isn’t much of a problem if the request is for a product description or a blog post, but it can cause havoc in lots of other situations. Cookies solve that problem — by using what’s called a session cookie which is stored in your browser’s memory and goes away when you close your browser, more information can be sent and it can be hidden a little better from snoopers.
So much for the good side of cookies. Next up — when cookies go bad.
* Actually, there are ways such as using a query string, matching up IP addresses, or a few other techniques. Although cookies have security issues, most of these methods are far less secure than cookies, or cause other problems for the user.