Internet cookies, also called web or browser cookies, are small data files a website stores in your browser. They are classified three ways: by source, by duration, and by purpose. Source means first party or third party. Duration means session or persistent. Purpose covers essential, analytics, and marketing.
Each classification answers a different question about the same cookie. Below, every type is broken down by source, duration, purpose, and the technical flags that control how a browser handles it.
What Is an Internet Cookie? (And Why There Are So Many "Types")
An internet cookie is a small text file a website's server sends to your browser using the Set-Cookie header. It lets the site remember state between requests: your login, your cart, or your language preference. The reason "types" seem to multiply is simple: the same cookie gets sorted along several independent axes at once. There are not dozens of distinct cookie technologies.
A cookie carries a name, a value, and a set of attributes that a browser reads to decide when to send it and to whom. Those attributes are Domain, Path, Expires, Max-Age, Secure, HttpOnly, and SameSite. The origin (who set it) and the lifespan (how long it lasts) come from those attributes. The purpose (why it exists) is a business classification layered on top, used by consent banners.
One unrelated confusion is worth clearing up early. "Internet cookie" and the baked good share only a name. The technology takes its name from "magic cookie," a computer science term for a small data token passed between programs, decades before consent banners existed.
The 3 Ways Cookies Are Classified: Source, Duration, and Purpose
Every cookie type you encounter falls under one of three classification axes, each answering a different question.
| Axis | What it answers | Types in this axis | Where it matters |
|---|---|---|---|
| By source | Who set it? | First-party, third-party | Tracking, browser blocking |
| By duration | How long does it last? | Session, persistent | Privacy, staying logged in |
| By purpose | What is it for? | Essential, functional, analytics, marketing | Consent requirements |
A fourth, technical dimension sits underneath all three. Security flags (Secure, HttpOnly, SameSite) control how a browser transmits any cookie, regardless of source, duration, or purpose. Purpose-based grouping is what your visitors see on a consent banner, organized into the cookie categories used there.
Cookie Types by Source: First-Party vs Third-Party
A first-party cookie is set by the domain shown in your browser's address bar. A third-party cookie is set by a different domain, usually an ad or analytics network embedded on that page. The distinction determines who can read the cookie and whether major browsers block it by default.
The same cookie's party status depends on which site you are visiting, not on anything inherent to the cookie itself. A cookie set by an analytics network is first-party on that network's own site and third-party everywhere it is embedded. I have seen this misread as a fixed property of the cookie; it is not. It is a relationship between the cookie's domain and the domain you are currently on.
First-Party Cookies
A first-party cookie is created directly by the website you are visiting. It keeps you logged in, remembers your language, and saves items in your cart. Because the setting domain matches the address bar, every major browser accepts first-party cookies by default and does not restrict them.
First-party cookies are also the more durable option as the industry moves away from cross-site tracking. Browsers that block third-party cookies still trust first-party ones, so sites are shifting session, login, and preference cookies to first-party wherever possible.
Third-Party Cookies
A third-party cookie is set by a domain other than the one in your address bar. Typically that domain is an advertising or analytics vendor whose script runs on the page. It reads your activity across every site that loads the same vendor's code, which is what lets an ad network build a cross-site profile.
Common third-party subtypes include tracking cookies, retargeting cookies, and analytics cookies. Tracking cookies record pages visited. Retargeting cookies re-serve ads for products you viewed. Analytics cookies measure traffic patterns for a vendor's dashboard.
Safari and Firefox block third-party cookies by default. Chrome has moved away from them through its Privacy Sandbox initiative. That shift is why third-party cookies are being phased out across the browser market.
Cookie Types by Duration: Session vs Persistent
A session cookie has no Expires or Max-Age attribute, so the browser deletes it when the browsing session ends. A persistent cookie carries one of those attributes and survives until that date or until you clear it manually. For a side-by-side on session vs persistent cookies, see the dedicated comparison.
Session Cookies
A session cookie has no Max-Age or Expires attribute at all. The browser, not the cookie, decides when the session ends. Closing the tab or browser normally ends it. Some browsers restore your session on restart, though. That can keep a "session" cookie alive longer than its name suggests. The rule is technical, not loose: no expiry attribute means "session."
Session cookies live in the browser's temporary memory rather than on the hard drive. They handle short-lived jobs: keeping you logged in mid-visit, holding your cart contents while you shop, and carrying form data across a multi-page checkout. They are the more privacy-friendly duration type, since nothing about that visit lingers once the session closes.
Persistent Cookies
A persistent cookie carries an Expires date or a Max-Age value. It survives across browser restarts until that time passes or you delete it manually. Expiration can range from a single day to several years, entirely at the setting site's discretion.
Persistent cookies remember things across visits: a "remember me" login, a dark-mode preference, a saved language, or an advertiser's record of your browsing habits. They also sit on your device between visits, which makes them the duration type most used for long-term tracking. That is a duration property, not a purpose one. A persistent cookie can be strictly functional, like a saved theme, or a marketing cookie, like ad retargeting, depending on who set it and why.
Cookie Types by Purpose: Essential, Functional, Analytics, and Marketing
A cookie's purpose determines whether a visitor's consent is legally required before it can be set. Essential cookies run without consent; functional, analytics, and marketing cookies generally need it.
| Category | What it does | Needs consent? |
|---|---|---|
| Strictly necessary / essential | Runs core site functions (cart, login, security) | No |
| Functional / preferences | Remembers choices like language or theme | Usually, outside strictly essential ones |
| Analytics / performance | Measures how visitors use the site | Yes |
| Marketing / advertising | Powers ads and retargeting | Yes |
Two smaller categories round out most consent banners: social media and unclassified. Social cookies embed share buttons and widgets. Unclassified cookies are ones a scanner detected but has not yet sorted.
Cookie Types by Security and Technical Behavior
Three attributes control how a browser transmits any cookie: Secure, HttpOnly, and SameSite. They sit apart from who set the cookie, how long it lasts, and why. These flags apply regardless of source, duration, or purpose.
Secure Cookies
A secure cookie carries the Secure flag, which tells the browser to send it only over an encrypted HTTPS connection. It is never transmitted over plain HTTP, except on localhost, which closes off a common eavesdropping path for attackers on the same network.
HttpOnly Cookies
An HttpOnly cookie carries the HttpOnly flag, which blocks client-side scripts, including JavaScript's document.cookie, from reading it. Session and authentication cookies should carry this flag by default, since it removes the main way a cross-site scripting (XSS) attack steals a login token.
SameSite Cookies (Strict, Lax, None)
The SameSite attribute, defined in MDN's SameSite reference, controls whether a cookie travels with cross-site requests, and it takes one of three values. Strict sends the cookie only when the request originates from its own site, the right setting for authentication or cart cookies. Lax also sends it when a visitor navigates to the site from elsewhere, useful for affiliate links. None sends the cookie on every request, including third-party embeds like ad tech or analytics, and browsers require the Secure flag whenever None is set.
Other Cookie Types You May Hear About
A handful of named cookie types come up often in privacy discussions. Each one overlaps with the source, duration, or purpose axes above rather than forming a new one.
Supercookies
A supercookie, per Wikipedia's HTTP cookie entry, is set with an origin of a top-level domain, such as .com, rather than a single site's domain. It can also use a public suffix, such as .co.uk. That broader scope lets it apply across many otherwise unrelated sites sharing the same suffix. It can interfere with requests to other websites, which is why supercookies are treated as a security risk rather than a normal tracking tool.
Zombie Cookies (Evercookies)
A zombie cookie stores backup copies of itself outside a browser's normal cookie storage, so it can recreate the original cookie after you delete it. Some sources use "zombie cookie," "evercookie," and even "supercookie" interchangeably. The precise technical definition of a supercookie is the top-level-domain origin described above; zombie cookies are the respawning behavior specifically. Ad networks, and in rarer cases attackers, have used this technique to keep tracking a visitor who thought they had cleared their cookies.
Flash Cookies (Local Shared Objects)
A Flash cookie, or Local Shared Object, stored data using Adobe Flash Player rather than the browser's own cookie jar. That let it survive a normal cookie deletion. Flash cookies are largely obsolete since Flash reached end of life, but they explain how early zombie-cookie techniques worked before browsers closed that gap.
Authentication and Tracking Cookies
An authentication cookie keeps you logged into an account after you enter your password once. It is typically first-party, persistent or session depending on "remember me" settings, and it should always carry the HttpOnly and Secure flags.
A tracking cookie is not a fourth axis of its own. It describes a third-party cookie's purpose: recording your activity so an ad or analytics network can build a profile. For the mechanics of how that tracking actually works across sites, see how cookies track you across sites.
How Many Types of Cookies Are There?
There is no single fixed number of cookie types. Sources count along different axes, then add the axes together. The practical answer is four widely cited types: first-party, third-party, session, and persistent. That list already mixes the source axis with the duration axis.
Layer in the purpose axis (essential, functional, analytics, marketing) and the technical flags (Secure, HttpOnly, SameSite). The same handful of cookies can then carry 10 or more labels, depending on which axis a source counts. The four most commonly cited types are these:
- First-party cookies (source axis)
- Third-party cookies (source axis)
- Session cookies (duration axis)
- Persistent cookies (duration axis)
Any single cookie sits on all three axes at once. A login cookie, for example, is typically first-party, persistent, and essential.
Which Types of Cookies Need Consent?
Whether a cookie needs consent depends on its purpose and necessity, not its source or duration. Strictly necessary cookies are exempt from consent under GDPR and the ePrivacy Directive; analytics, marketing, and most other non-essential cookies require it beforehand.
Under GDPR and the ePrivacy Directive, a site must tell visitors which cookies it uses and explain what each one does. It must get consent before setting anything beyond what is strictly necessary. The CCPA and similar US state laws take a different approach. They require disclosure and an opt-out for the sale or sharing of personal data, rather than a mandatory opt-in banner.
- Exempt from consent: strictly necessary/essential cookies (security, load balancing, basic cart function)
- Requires prior consent: functional cookies beyond the essential baseline, analytics cookies, marketing and advertising cookies
Ad-tech networks operating in Europe typically layer the IAB Transparency and Consent Framework (IAB TCF) on top of this. It standardizes how consent choices get communicated to advertising partners. For the legal detail behind these rules, see how cookie consent works and staying cookie compliant.
How Consently Detects and Sorts Every Type of Cookie
Consently scans your site and finds every cookie across every axis described above, whether first-party or third-party, session or persistent. It then automatically sorts each one into a category so you never have to classify them by hand.
Consently's automatic cookie scanning crawls your site on install and detects cookies, trackers, scripts, and iframes across every page. It then re-scans weekly so newly added tags do not go unnoticed. I have found this removes the manual audit step most site owners skip until an inspector or a client asks for it.
Cookie categorization takes over from there. Every detected cookie is auto-sorted into essential, analytics, advertising, social, or unclassified. Non-essential cookies stay blocked until a visitor consents. That scan result feeds directly into your consent banner and your cookie policy generator. The categories your visitors see always match what your site actually sets.
Start free and scan your site to see every cookie type it is actually setting.
FAQs
What are the four types of internet cookies?
The four most cited types are first-party, third-party, session, and persistent. These mix two different classification axes: first-party and third-party describe source, while session and persistent describe duration.
What is the difference between first-party and third-party cookies?
The difference is who sets the cookie relative to the site you are on. First-party cookies come from the domain in your address bar; third-party cookies come from an embedded domain. For a full side-by-side, see first-party vs third-party cookies, compared in depth.
Are session cookies safer than persistent cookies?
Session cookies leave less behind, since they clear when your browser session ends. Safety depends more on flags like Secure and HttpOnly, and on the cookie's purpose, than on duration alone. A persistent cookie with Secure and HttpOnly set can be safer than an unflagged session cookie.
Why are they called cookies?
The name comes from "magic cookie," a computer science term for a small data token passed between programs. That usage predates web cookies and consent banners by decades. The baked good shares only the name.
Which cookies should I block?
You can safely block non-essential cookies, including analytics and marketing cookies, without breaking a site. Blocking strictly necessary cookies can break core features like login or checkout, so those are the ones to leave alone.
Do all types of cookies track you?
No. Essential and first-party functional cookies exist to run the site, not to track you. Tracking is mainly a third-party, advertising-driven use, not a property every cookie shares.
What types of cookies are exempt from consent?
Strictly necessary cookies are exempt from consent under GDPR and the ePrivacy Directive. Many readings extend that exemption to first-party functional session cookies tied directly to a requested service. Everything else, including analytics and marketing cookies, generally needs consent first.
Are third-party cookies going away?
Safari and Firefox already block third-party cookies by default, and Chrome has shifted away from them through its Privacy Sandbox initiative. First-party cookies are not affected and remain the more durable option for logins and preferences going forward.

