The HTTP Cookie — How Websites Remember Who You Are

Lou Montulli's 1998 Netscape patent describes the browser cookie — the mechanism that lets websites store small pieces of data on your computer so they can remember your login, shopping cart, and preferences across page loads.

What it covers

This patent describes a system for maintaining 'persistent client state' in the otherwise stateless HTTP protocol. HTTP was designed as a simple request-response protocol — each page load is independent, with no memory of previous requests. Cookies solve this by having the server send a small piece of data (the cookie) with its response, which the browser stores locally. On every subsequent request to the same server, the browser automatically includes the cookie in its request headers. The server reads the cookie and uses it to identify the user or recall their preferences. Cookies can be session-based (disappearing when you close the browser) or persistent (stored on disk with an expiration date).

What it doesn't cover

• —localStorage and sessionStorage — newer browser APIs for client-side storage that don't automatically send data to servers
• —Server-side sessions (where the cookie only holds a session ID and all data lives on the server) — the patent covers the client-side storage mechanism, not specific implementations
• —Third-party tracking cookies — the use of cookies by advertisers to track users across sites was not the invention's intent
• —Secure/HttpOnly cookie flags — these security attributes came later and are not part of this patent

The clever bit

Montulli invented cookies in 1994 while working at Netscape, specifically to solve a problem for an early e-commerce site (MCI): how to implement a shopping cart without requiring users to log in. The web's stateless design meant every page load forgot everything about the previous one — you'd have to re-add your items to the cart on every click. Montulli's solution was to store a unique session identifier in a small text file on the user's computer. The name 'cookie' comes from Unix 'magic cookies' — tokens passed between programs to maintain state. The shopping cart use case seems obvious in retrospect, but at the time it required inventing an entirely new mechanism for how browsers and servers communicate.

Why it matters

Cookies are simultaneously one of the most essential and most controversial technologies on the web. Without them, every website would be stateless — no logins, no shopping carts, no personalization. With them came persistent tracking, behavioral advertising, and privacy concerns that led to GDPR, the California Consumer Privacy Act, and a decade-long effort by browser vendors to phase out third-party cookies. Montulli's invention solved a real problem and created a lasting one. Google's multi-year effort to replace third-party cookies with the Privacy Sandbox shows how fundamental — and how difficult to replace — this 1994 invention remains.

Real-world examples

• 1.Amazon's shopping cart persists across sessions because your cart contents are stored server-side and linked to a cookie ID — when you return, Amazon reads your cookie and retrieves your cart
• 2.The 'Remember me' checkbox on login forms stores an authentication token in a persistent cookie, so you don't have to log in again for weeks
• 3.Online advertising networks use third-party cookies to track which websites you visit across the web — this use, far from the original shopping-cart purpose, is why cookie consent banners now appear on every European website under GDPR

Glossary