What kinds of cookies are “required” for a website to function?

Question

... apart from login cookies. Many sites which don't require you to login ask for permission to store cookies "required for the site to function" and don't let you refuse them. What exactly do these cookies do? Would appreciate answers from folks who are site devs for any such websites.

johncoltrane · Accepted Answer

Putting opinions on cookies aside for a moment, session cookies, cookies that store the language chosen by the user, etc. are examples of what is usually considered "required cookies".
Now, the technical choices that lead to those things may not have been the wisest but the general thinking is that:
- the site is less functional without those cookies so requiring them ensures a common baseline for all users,
- they are used internally for things that are directly related to what the user is here for, so they are in a somewhat different league than all the cross-site targeting cookies everyone is concerned about, so they are less harmful.
But the truth is that saving to and reading from cookies is not an absolute requirement of building websites.

jamessb · Answer

The answers to "What is the &lsquo;strictly necessary&rsquo; exemption?" and "What activities are likely to meet the &lsquo;strictly necessary&rsquo; exemption?" in this guidance FAQ gives some clarification from the UK Information Commissioner's Office:https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...

stepbeek · Answer

An example that springs to mind is a CSRF token [1]. One might use a session cookie so that the server can have a CSRF token on any forms. In this way we still require a session to be present even if the user doesn't have to login.1: https://portswigger.net/web-security/csrf/tokens

bellttyler · Answer

Some folks have already mentioned this, but typically if a website has user login/signup, cookies are used to "identify" the user once logged in.This enables the websites backend to know who is making the request for authentication/authorization purposes.

onion2k · Answer

Literally none. All a cookie does is crowbar stateful data in to series of requests. You don't need at all that if you build something that's stateless.

brudgers · Answer

What website?Function how?There are a lot of superfluous cookies because adding cookies is "best practice."And frameworks make it easy.And the added complexity makes programming mundane websites more interesting to the people condemned to doing so...inventing interesting problems makes people feel clever when cleverness is superfluous.

Raed667 · Answer

Besides the obvious login/session stuff, you can almost always find security-related cookies for things like CloudFlare, as well as preferences/features toggles.

jolmg · Answer

A cookie to save your answer to the cookie prompt.

What kinds of cookies are “required” for a website to function?

... apart from login cookies. Many sites which don't require you to login ask for permission to store cookies "required for the site to function" and don't let you refuse them. What exactly do these cookies do? Would appreciate answers from folks who are site devs for any such websites.

An example that springs to mind is a CSRF token [1]. One might use a session cookie so that the server can have a CSRF token on any forms. In this way we still require a session to be present even if the user doesn't have to login.
1: https://portswigger.net/web-security/csrf/tokens

Some folks have already mentioned this, but typically if a website has user login/signup, cookies are used to "identify" the user once logged in.
This enables the websites backend to know who is making the request for authentication/authorization purposes.

Literally none. All a cookie does is crowbar stateful data in to series of requests. You don't need at all that if you build something that's stateless.

Besides the obvious login/session stuff, you can almost always find security-related cookies for things like CloudFlare, as well as preferences/features toggles.

A cookie to save your answer to the cookie prompt.