Web Cookies Scanner

WebCookies.info provides free audit of web cookies used by a website. See how websites are tracking user activities using web cookies, obtain an easy to understand cookie usage summary and find out about compliance with new EU privacy law. No additional software installation is required.

Terms of the Service

The information on this web site should not be treated as legal advice. It is provided on an "as is" basis and without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality of the obtained information is with you.

What are web cookies?

In technical terms web cookie (RFC 6265) is a small piece of text that a website stores on you browser, in the background, while it is loading the page. In HTTP protocol server uses Set-Cookie header to set cookie in a browser. The browser then reflects the cookie using Cookie header.

Cookies were introduced because websites handle thousands of clients at each moment and have no way to distinguish your network connection from the multitude of other users' connections. This would make any multi-step or transactional operations impossible. So on the first connection website assigns you a random identifier (a cookie), which your browser reflects with each future connection. This way the website can distinguish your connection from the others. This is just the simplest example — in reality cookies can be used for numerous other purposes that share the same goal — uniquely identify a client to the website.

What types of cookies are used?

From privacy and compliance point of view there are three main types of cookies:

An example of session cookie:

Set-Cookie: sessionid=0c3ca1b85524d571454b2cf22c62fb34; httponly; Path=/

An example of permanent cookie:

Set-Cookie: csrftoken=NUZeWttMIijbs7OQrVNm0k1pIknjLyPW; expires=Thu, 27-Feb-2014 22:55:03 GMT; Max-Age=31449600; Path=/

An example of third party cookie (being permanent at the same time:

Set-Cookie: GAD=KlSrB8sGvaGpI8EeouVto3eC8xRQxQsoYyQGGsWtkUF3QooKYGGQQee1HcsxSaGGQCGRNF5RY73SxAxgRoQSGEvyS8S8QnpHeGMXdKFRa1s-iFRKExFhsaGS8zV26rGnbiGSUigZ8D6_GvsSqPBBcYj7DnJCoGklQquU2Zq80l9QSG8.; Domain=hub.com.pl; Path=/; Expires=Wed, 30 Aug 2017 00:00:00 GMT

Why people worry about web cookies?

There are two main reasons why people are concerned about web cookies:

  • End-users are concerned because they feel that cookies can be used to track their activities on the web (behavioral profiling). For example, if you search for "Camels" today on your favorite search engine, you might continue to see cigarette related advertisements on other, unrelated websites for the next month or so. It's the profiling network that worked here and decided that you might be interested in cigarette ads. In more sophisticated, future schemes you might get a higher health insurance premium once the network becomes suspicious that you're smoker :)
  • Because of these concerns European Union has enacted new law regulating storage of data on consumer devices. The scope of this directive is rather wide and it is not limited to classic HTTP cookies but any kind of data (see Evecookies below). As result, if you are a website owner in Europe, you just became a "data controller" and as such should comply with a number of regulations related to cookies.

What about the "EU Cookie Directive"

European Directive 2009/136/EC (more on Wikipedia and Directive itself) has much wider scope. It doesn't actually regulate "cookies" in specific, technical meaning. This is what the Directive says:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
There's also paragraph in the preamble (non-binding but setting context):
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

As you can see, the Directive does not prohibit use of cookies — it only requires that end-users are fully informed about their purpose and give their consent. With the latter being quite a challenge if you actually try to implement it in real websites.

There was a lot of confusion and discussions on how this should be actually implemented. One of the first countries in EU to enact this law on national level was United Kingdom, and their Information Commissioner's Office (ICO) decided to give a good example and for some time it presented a very literal approach, so to say, especially about the user's consent being "prior" to website display.

As result, if you visited ICO website at that period a part of it was covered by a rather annoying pop-up banner asking if you agree to receive a cookie. If you did, the banner would disappear — and your "yes" answer would be of course stored in a cookie. If you did not agree, you'd see the annoying pop-up on each page of ICO's website you'd browse, because the website has no way to remember that you answered "no". Later on ICO has reverted their policy towards a more liberal interpretation.

I have a website - how can I comply with the EU directive?

For most websites in most EU countries it should be sufficient to provide a clear, easy to read information on what cookies your site sets and what is their purpose (example on ICO website). To do that, you need to actually know what cookies sets — and this is where WebCookies.info helps a bit. You can scan your website and use the obtained results as a starting point to develop full documentation of cookies used.

Note however, that the road to the directive was long, bumpy (see NoCookieLaw) and full of rather complicated legal discussion (see Opinion 04/2012 on Cookie Consent Exemption) which is not always consistent with technical understanding of how cookies work.

In addition to that, there's one Directive and 27 Member Countries in European Union to implement it, and each country took slightly different approach. As result these local implementations can substantially differ from each other. So if you need to be certain about your compliance against the laws in your jurisdiction, consult a technology lawyer.

Do you record all cookies that my website sets?

The short answer is: no. In some cases this service will not be able to see and record all cookies used by a website.

First, WebCookies.info will load the page as an anonymous user and will only receive cookies intended for such users. It's quite common (and it's actually good security practice) to set session cookies after the user has authenticated — and these cookies we will not recorded.

Second, a website can display different cookies on different pages. If you scan main page and then some other part of the website, you may get different results. You need to understand technology used to build different parts of your website to know which pages to test.

Third, we are currently recording only traditional cookies set using HTTP Set-Cookie header. While this is what is most often meant by web cookies, remember that the Directive talks about "storing information", not only HTTP cookies. And there are some other ways to track users apart from cookies. Data can be stored in similar way in other objects such as, Flash cookies, HTML5 storage and other means collectively named Evercookie. Currently we do not support those alternative information storages.

Can I opt-out from tracking?

What is WebCookies/1.0 agent?

This site uses a script that emulates a web browser to render page for which people wanted to check the cookies. The scipt uses the following User-Agent string:

WebCookies/1.0 (+http://webcookies.info/faq/#agent)

The script does not crawl the whole website, it just fetches a single page entered by an user on WebCookies.info main page. The script renders JavaScript and fetches images just like a standard browser, so you will see requests for JS, CSS and images.