Skip navigation
Part IV Chapter 22

Cookies

Date published:
Hero image of Web Almanac characters carrying a large cookie, while crumbs are thrown off by another character. Another Web Almanac character is following the trail of cookies with a detective hat and a magnifying glass.
Written by Yohan Beugin
Analyzed by Chris Böttger

Introduction

Cookies allow websites to save data and maintain state information across HTTP requests, a stateless protocol. Web applications use cookies for several purposes, like authentication, fraud prevention and security, or remembering preferences and user choices, etc. However, ever since their introduction in the mid-1990s, cookies have also played a dominant role in online tracking of web users.

Over the years, browser vendors such as Brave, Firefox, and Safari have imposed restrictions, partitioned, and removed third-party cookies. While Chrome initially appeared to follow in these same steps by announcing plans to block all third-party cookies, several delays and postponements later, Google eventually decided to maintain their current approach in Chrome. As a result, cookies—the focus of this 2025 Web Almanac Chapter—remain an essential component in today’s web landscape.

In the chapter below, we measure and report on the prevalence and structure of web cookies encountered on the webpages visited by the HTTP Archive crawl of July 2025. The majority of these results, except when mentioned otherwise, are for the top one million (top 1M) most popular websites according to their rank in the Chrome User Experience report (i.e., CrUX rank). Results are also shown for both desktop and mobile devices; although, in practice for our results we rarely any significant difference between the two types of devices.

Background

To avoid repetitions and overlap with concepts and definitions already explained in the 2024 Cookies chapter, we refer interested readers to last year’s Definitions section for (a) an overview of the different types of cookies and (b) the privacy and security risks they can pose.

First and third-party prevalence

First- and third-party prevalence.
Figure 22.1. First- and third-party prevalence.

The overall prevalence of first- and third-party cookies on the top 1M most popular websites from the HTTP Archive crawl of July 2025 is similar to last year’s distribution. On both desktop and mobile devices, 40% of cookies are first-party and 60% third-party (Figure 1). Below, we report on the same first- and third-party split across different CrUX ranks.

First- and third-party prevalence of cookies by rank on desktop clients.
Figure 22.2. First- and third-party prevalence of cookies by rank on desktop clients.
First- and third-party prevalence of cookies by rank on mobile clients.
Figure 22.3. First- and third-party prevalence of cookies by rank on mobile clients.

We observe from Figure 2 and Figure 3 that the most visited websites tend to set significantly more third-party cookies (78% of cookies on the top 1k) than others visited less often (just below 50% on top 10M). This may be explained by the fact that more popular websites also include more third-party content and scripts that in turns set third-party cookies to enable different functionalities.

An overview of cookie attributes for desktop clients.
Figure 22.4. An overview of cookie attributes for desktop clients.
An overview of cookie attributes for mobile clients.
Figure 22.5. An overview of cookie attributes for mobile clients.

Figure 4 and Figure 5 showcase the different cookie attributes for each type of cookies observed.

Partitioned (CHIPS proposal)

On compatible browsers, partitioned cookies prevent third-party cookies to be used for cross-site tracking by placing them into a storage partitioned per top-level site. In July 2025, about 10% of third-party cookies on the top 1M are partitioned. We observe here a slight increase in adoption of this relatively new attribute in comparison to the 6% of last year’s results.

Top partitioned cookies (CHIPS) in third-party context.
Figure 22.6. Top partitioned cookies (CHIPS) in third-party context.

Figure 6 shows the 10 most common partitioned cookies (name and domain) found in third-party context on webpages in July 2025. Here, we observe a major change from last year’s analysis, indeed the overall usage of third-party partitioned cookies in 2025 appears to have plummeted to very low levels. Interestingly, partitioned cookies that were somewhat predominant in 2024 (on about 9% of websites with partitioned cookies) are not present anymore; two of these cookies were set by YouTube and another one was the receive-cookie-deprecation cookie set by domains that participated in the testing phase of Chrome’s Privacy Sandbox. Instead, Cloudflare’s cf_clearance cookie accounts for the entirety of the top 10 most common partitioned third-party cookies in 2025.

So, in the past year YouTube appears to have altered how these cookies were set on youtube.com and on video iframes embedded on other websites. Potential reasons that could explain these changes include: incorrect setting, A/B testing, and more likely infrastructure or policy updates following Google’s announcements on the pause and then deprecation of Privacy Sandbox APIs, despite support for partitioned cookies (CHIPS proposal) still being continued.

Top partitioned cookies (CHIPS) in first-party context.
Figure 22.7. Top partitioned cookies (CHIPS) in first-party context.

In 2025, we continue to observe that 1% of first-party cookies are set as partitioned; this might be a bit surprising as the CHIPS proposal is mainly about partitioning third-party cookies, and even if it mentions a specific uncommon case for partitioned first-party cookies, the behavior requirement appears unclear in first-party context. In 2025, more than 90% of these first-party partitioned cookies are Cloudflare’s cf_clearance cookie related to bot detection. Comparing to 2024’s analysis, we remark here again that receive-cookie-deprecation, set by domains participating in Privacy Sandbox tests, going away.

Session

19% of first-party and 7% of third-party cookies are session cookies, i.e., temporary cookies only valid for a single user session that expire once the user quits the corresponding website they were set on, or closes their web browser, whichever happens first.

HttpOnly

HttpOnly cookies provide some mitigation against cross-site scripting (XSS) as they can not be accessed by javascript code (but are still sent along XMLHttpRequest or fetch requests initiated from javascript). 12% and a little more than 26% of first- and third-party cookies have this attribute set, respectively.

Secure

Secure cookies are only sent to requests made through HTTPs, same trend as last year here; while only 24% of first-party cookies set this attribute, all third-party have to set it if they want to use SameSite=None (which they all do, see below).

SameSite

SameSite attribute for cookies on desktop client.
Figure 22.8. SameSite attribute for cookies on desktop client.
SameSite attribute for cookies on mobile client.
Figure 22.9. SameSite attribute for cookies on mobile client.

For explanations about the different values for the SameSite attribute, we refer to the 2024 Cookies chapter. The overall distribution of this attribute for first- and third-party cookies across clients is similar to last year’s: nearly 100% of third-party cookies are sent on cross-site requests (SameSite=None) which can enable cross-site tracking. A majority of first-party cookies (66% on desktop, 62% on mobile) do not set this attribute and so are assigned the default Lax behavior that 19% other first-party cookies explicitly pick, leaving only 3% setting it to the Strict setting, and the remaining 11% being sent on both same-site and cross-site requests (SameSite=None).

Cookie prefixes observed on desktop pages.
Figure 22.10. Cookie prefixes observed on desktop pages.
Cookie prefixes observed on mobile pages.
Figure 22.11. Cookie prefixes observed on mobile pages.

Two cookie prefixes __Host- and __Secure- can be used in the cookie name to indicate that they can only be set or modified by a secure HTTPs origin (for more details see the 2024 Cookies chapter). Here, we draw the same conclusion as last year: these prefixes have seen very low adoption on the web since their introduction 10 years ago, and so, in practice the defense-in-depth measure that they provide remains unused.

Top first and third-party cookies and domains setting them

Top first-party cookies set.
Figure 22.12. Top first-party cookies set.

Figure 12 reports the top 10 most common first-party cookies names being set. Google Analytics sets the _ga and _gcl_au cookies, which are used for website statistics, analytics reports, and targeted advertising, on more than 60% and 25% of websites. Other cookies present in this top 10 are related to online tracking, session cookies used to identify user’s sessions, or performance.

Top third-party cookies and domains that set them.
Figure 22.13. Top third-party cookies and domains that set them.

Similarly, Figure 13 shows the top 10 most common third-party cookies being created on the top 1M websites. The IDE and test_cookie cookies are set by doubleclick.net (owned by Google) and are present on more than 35% and 25% of websites. DoubleClick checks if a user’s web browser supports third-party cookies by trying to set test_cookie. MUID from Microsoft comes next, present on more than 23% of websites, and is also used for targeted advertising and cross-site tracking. As already pointed out in the Partitioned cookies section, this year we do not observe anymore the YSC and VISITOR_INFO1_LIVE from YouTube among top third-party cookies.

Top registrable domains setting cookies.
Figure 22.14. Top registrable domains setting cookies.

Perhaps, unsurprisingly from prior results, the 10 most common domains (Figure 14) that set cookies on the web are all involved with search, targeting, and advertising services. Google’s combined coverage (doubleclick.net, google.com, and youtube.com) is reaching more than 50% of the websites, and Microsoft’s (bing.com, clarity.ms, linkedin.com) 30%.

Number of cookies set by websites

Number of cookies (desktop top 1M) First-party Third-party All
min 1 1 1
p25 3 2 4
median 7 7 9
p75 13 16 23
p90 22 40 44
p99 45 399 395
max 178 885 915
Figure 22.15. Statistics for number of cookies set on desktop pages.
Number of cookies (mobile top 1M) First-party Third-party All
min 1 1 1
p25 3 2 4
median 6 4 9
p75 12 15 22
p90 21 39 43
p99 45 400 396
max 178 801 831
Figure 22.16. Statistics for number of cookies set on mobile pages.

Websites set a median of 9 cookies of any type overall, 7 first-party cookies, and 5 or 6 third-party cookies. The tables above report several other statistics about the number of cookies observed per website and the figures below display their cumulative distribution functions (cdf). For example: on desktop a maximum of 178 first-party and 885 third-party cookies are set per website.

Number of cookies per website (cdf) for desktop pages.
Figure 22.17. Number of cookies per website (cdf) for desktop pages.
Number of cookies per website (cdf) for mobile pages.
Figure 22.18. Number of cookies per website (cdf) for mobile pages.

Size of cookies

Size of cookies (desktop top 1M) in bytes First-party Third-party All
min 1 1 1
p25 29 22 24
median 41 39 40
p75 67 59 64
p90 157 145 149
p99 414 321 338
max 4090 4096 4096
Figure 22.19. Statistics for size of cookies set on desktop pages.
Size of cookies (mobile top 1M) in bytes First-party Third-party All
min 1 1 1
p25 22 29 24
median 39 41 40
p75 62 67 65
p90 145 162 150
p99 326 414 388
max 4096 4081 4096
Figure 22.20. Statistics for size of cookies set on mobile pages.

We find that the median size across all observed cookies is 40 bytes and with a maximum of 4K bytes which is consistent with the limits defined in RFC 6265. Similar to last year, we observe some cookies that are of a single byte in size, these are likely set by error by empty Set-Cookie headers.

Size of cookies per website (cdf) for desktop and mobile pages.
Figure 22.21. Size of cookies per website (cdf) for desktop and mobile pages.

Figure 17 corresponds to the cumulative distribution function (cdf) of the size of all the cookies seen on the top 1M websites for each client.

Persistence (expiration)

Age of cookies (desktop top 1M) in days First-party Third-party All
min 0 0 0
p25 1 30 21
median 365 360 364
p75 395 365 390
p90 400 400 400
p99 400 400 400
max 400 400 400
Figure 22.22. Statistics for age of cookies set on desktop pages.
Age of cookies (mobile top 1M) in days First-party Third-party All
min 0 0 0
p25 1 30 30
median 365 270 360
p75 395 365 390
p90 400 400 400
p99 400 400 400
max 400 400 400
Figure 22.23. Statistics for age of cookies set on mobile pages.

Cookies are set to an expiration date when they are created. If session cookies expire immediately after the session is over (see previous section), most first- and third-party cookies do not and have a median age of a full year. The longer cookies live, the longer they can be used for re-identification or cross-site tracking which is why most tracking cookies are typically set to be stored in the browser for a longer time. The maximum age among the cookies that we can observe with the instrumentation and collection of the HTTP Archive Tools is of 400 days, this is aligned with the hard limits that Chrome imposes on cookie Expires and Max-Age attribute.

Conclusion

The observations from this chapter confirm the conclusions from last year’s analysis:

  • A majority (60%) of cookies encountered on the web are third-party cookies and popular websites create them the most.
  • Most popular cookies can be linked to advertising, tracking, and analytics use cases.
  • Cookies tend to be long-lived with a median average lifetime of 12 months. Ephemeral session cookies only represent 19% of first- and 7% of third-party cookies.
  • Other restrictions on cookies capabilities are used very little to not at all: if partitioned cookies represent 10% of all third-party cookies which represents a slight uptake from last year’s 6%, 100% of third-party cookies have SameSite=None allowing them to be sent in cross-site requests and cookies prefixes adoption is almost non-existent.

Additionally, while several web browsers have deprecated or limited third-party cookies due to privacy concerns, Google has decided to still support them in Chrome. Google is also phasing out most technologies from its Privacy Sandbox initiative, initially designed to “create a thriving web ecosystem that is respectful of users and private by default”. As a result, whether trackers use third-party cookies and/or switch or complement their approach with first-party cookies, fingerprinting, or develop other techniques to track users online, cookies remain a fundamental piece of the web that continue to pose privacy and security risks for users.

Explore the results

View results View queries Suggest edit Help translate

Author

  • Yohan Beugin
    Yohan Beugin is a Ph.D. student in the Department of Computer Sciences at the University of Wisconsin–Madison where he is a member of the Security and Privacy Research Group and advised by Prof. Patrick McDaniel. He is interested in building more secure, privacy-preserving, and trustworthy systems. His current research so far has focused on security of open-sourec software as well as tracking and privacy in online advertising.

Citation

BibTeX 
@inbook{WebAlmanac.2025.Cookies,
author = "Beugin, Yohan and Böttger, Chris",
title = "Cookies",
booktitle = "The 2025 Web Almanac",
chapter = 22,
publisher = "HTTP Archive",
year = "2025",
language = "English",
doi = "…TODO",
url = "https://almanac.httparchive.org/en/2025/cookies"
}