On Cookies and The Kermudgeon

Not all cookies are delicious

On Cookies and The Kermudgeon
Chocolate chip cookies fresh from the oven (Photo credit: Jim DuncanCC BY 2.0)

There is much concern about online privacy, and rightly so. One issue related to this topic is the use of third-party vs. first-party cookies.

The long and short of it is that first-party cookies are typically viewed as “essential” to the operation of a site. They are used to identify who is logged in, store the contents of your shopping cart, save your site preferences, etc.

Third-party cookies are often used for more nefarious purposes, such as attempting to track your every movement across the Web, so that your browsing habits may be sold as a commodity and used for the purposes of targeted advertising and the like.

Most sites offering the ability to log in do not work with first-party cookies disabled; they generally do work with third-party cookies disabled, although they may behave differently in some cases.

Facebook comes to mind: it fails if all cookies are disabled, but works if only third-party cookies disabled. Likewise with Gmail, YouTube, Twitter, etc.

With all cookies disabled, Facebook and Gmail allow you to access the login page. Facebook will also let you access public Facebook “pages.”

If you attempt to log in to Gmail with all cookies disabled, it looks like this:

Gmail with all cookies disabled
Gmail with all cookies disabled

Facebook gives a similarly “helpful”  result:

Facebook with all cookies disabled
Facebook with all cookies disabled

If you disable third-party cookies, Gmail sets a number of cookies after initial login (unexpanded view):

GMail cookies, with third-party cookies disabled
GMail cookies, with third-party cookies disabled

Facebook sets these after initial login (unexpanded view):

Facebook cookies, with third-party cookies disabled
Facebook cookies, with third-party cookies disabled

Given that the EU and other entities are moving toward banning or heavily restricting third-party cookies, more ethical sites are moving toward simply using first-party cookies, while less ethical sites are moving toward other methods that, while technically not third-party cookies, have similar potential for abuse—or worse. More ethical sites also tend to use other revenue models, such as advertising which does not depend on cookies, paid subscriptions, fully-disclosed affiliate marketing, etc.


The Kermudgeon is an example of a site which uses first-party cookies to identify who is logged in, so that it may determine the appropriate content to display based on subscription level.

By default, a third-party cookie is also set by Stripe (the payment processor used to handle subscriptions). This cookie is not needed for the site to function properly, except during the initial registration process. I recommend that you disable third-party cookies entirely, where possible.*

With third-party cookies disabled (but first-party cookies enabled), logging into The Kermudgeon creates these cookies (expanded view):

The Kermudgeon cookies, with third-party cookies disabled
The Kermudgeon cookies, with third-party cookies disabled

There is a separate site used for site contributors. With third-party cookies disabled (but first-party cookies enabled), logging into the Contributor site creates this cookie (expanded view):

thekermudgeon.ghost.io cookies, with third-party cookies disabled
thekermudgeon.ghost.io cookies, with third-party cookies disabled

*You may notice that our site’s Cookies Policy makes reference to cookies administered by third parties. In the context of this policy, the service providers used to operate the site and payment processors are referred to as third parties, as opposed to the cookies themselves being third-party cookies. The policy also is written to describe potential behaviour of the site when third-party cookies are enabled, given that is the default of most browsers. With third-party cookies disabled, the site uses only first-party cookies as described earlier in this article.

I also have further recommendations about browsers and session management which I will address in another article, to be linked to this article once it is written.

Support Us