Web Cookies Scanner

Scan any website for HTTP cookies, Flash, HTML5 localStorage, sessionStorage cookies, also super-cookies and ever-cookies. Also includes privacy and SSL/TLS scan for free.

Terms of the Service

The information on this web site should not be treated as legal advice. It is provided on an "as is" basis and without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality of the obtained information is with you.

What are web cookies?

In technical terms web cookie (RFC 6265) is a small piece of text that a website stores on you browser, in the background, while it is loading the page. In HTTP protocol server uses Set-Cookie header to set cookie in a browser. The browser then sends the cookie back to the website using Cookie header.

Cookies were introduced because websites handle thousands of clients at each moment and have no way to distinguish your network connection from the multitude of other users' connections. This would make any multi-step or transactional operations impossible. So on the first connection website assigns you a random identifier (a cookie), which your browser reflects with each future connection. This way the website can distinguish your connection from the others. This is just the simplest example — in reality cookies can be used for numerous other purposes that share the same goal — uniquely identify a client to the website.

What types of cookies are used?

From privacy and compliance point of view there are three main types of cookies:

An example of a session cookie:

Set-Cookie: sessionid=0c3ca1b85524d571454b2cf22c62fb34; httponly; Path=/

An example of a permanent cookie:

Set-Cookie: csrftoken=NUZeWttMIijbs7OQrVNm0k1pIknjLyPW; expires=Thu, 27-Feb-2014 22:55:03 GMT; Max-Age=31449600; Path=/

An example of a third party cookie (and it's permanent at the same time):

Set-Cookie: GAD=0c3ca1b85524d571454b2cf22c62fb34; Domain=hub.com.pl; Path=/; Expires=Wed, 30 Aug 2017 00:00:00 GMT

Do I have to publish a cookies report for my website?

If your website or business is based in the European Union then yes. The extent of the information depends on the interpretation of the EU law, but in most cases this needs to be a list of cookies your website sets with a brief description of their purpose.

You can start with the cookies report provided by WebCookies.org and then add the informative and legal content specific to your website. British International Chamber of Commerce published a guidance document ICC UK Cookie guide that comes very handy for writing the legal part.

Why do people worry about web cookies?

There are two main reasons why people are concerned about web cookies:

What about the "EU Cookie Directive"

European Directive 2009/136/EC (more on Wikipedia and Directive itself) has much wider scope. It doesn't actually regulate "cookies" in specific, technical meaning. This is what the Directive says:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
There's also paragraph in the preamble (non-binding but setting context):
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

As you can see, the Directive does not prohibit use of cookies — it only requires that end-users are fully informed about their purpose and give their consent. With the latter being quite a challenge if you actually try to implement it in real websites.

There was a lot of confusion and discussions on how this should be actually implemented. One of the first countries in EU to enact this law on national level was United Kingdom, and their Information Commissioner's Office (ICO) decided to give a good example and for some time it presented a very literal approach, so to say, especially about the user's consent being "prior" to website display.

As result, if you visited ICO website at that period a part of it was covered by a rather annoying pop-up banner asking if you agree to receive a cookie. If you did, the banner would disappear — and your "yes" answer would be of course stored in a cookie. If you did not agree, you'd see the annoying pop-up on each page of ICO's website you'd browse, because the website has no way to remember that you answered "no". Later on ICO has reverted their policy towards a more liberal interpretation.

I have a website - how can I comply with the EU directive?

For most websites in most EU countries it should be sufficient to provide a clear, easy to read information on what cookies your site sets and what is their purpose (example on ICO website). To do that, you need to actually know what cookies sets — and this is where WebCookies.org helps a bit. You can scan your website and use the obtained results as a starting point to develop full documentation of cookies used.

Note however, that the road to the directive was long, bumpy (see NoCookieLaw) and full of rather complicated legal discussion (see Opinion 04/2012 on Cookie Consent Exemption) which is not always consistent with technical understanding of how cookies work.

In addition to that, there's one Directive and 27 Member Countries in European Union to implement it, and each country took slightly different approach. As result these local implementations can substantially differ from each other. So if you need to be certain about your compliance against the laws in your jurisdiction, consult a technology lawyer.

Do you record all cookies that my website sets?

The short answer is: no. In some cases this service will not be able to see and record all cookies used by a website.

First, WebCookies.org will load the page as an anonymous user and will only receive cookies intended for such users. It's quite common (and it's actually good security practice) to set session cookies after the user has authenticated — and these cookies we will not recorded.

Second, a website can display different cookies on different pages. If you scan main page and then some other part of the website, you may get different results. You need to understand technology used to build different parts of your website to know which pages to test.

Third, we are currently recording only traditional cookies set using HTTP Set-Cookie header. While this is what is most often meant by web cookies, remember that the Directive talks about "storing information", not only HTTP cookies. And there are some other ways to track users apart from cookies. Data can be stored in similar way in other objects such as, Flash cookies, HTML5 storage and other means collectively named Evercookie. We are working on detecting those alternative storages.

Can I opt-out from tracking?

What is WebCookies/1.0 agent?

This site uses a script that emulates a web browser to render page for which people wanted to check the cookies. The script uses the following User-Agent string:

WebCookies/1.0 (+http://webcookies.org/faq/#agent)

The script does not crawl the whole website, it just fetches a single page entered by an user on WebCookies.org main page. The script renders JavaScript and fetches images just like a standard browser, so you will see requests for JS, CSS and images.