Cookie

Transfers

The web cookie descends from the Unix “magic cookie” — itself a reference to the fortune cookie, a treat containing a hidden message. Lou Montulli of Netscape coined the web usage in 1994 when he needed a mechanism for HTTP servers to remember returning visitors. The structural mapping: a small thing given to you that carries hidden information, which you hand back on your next visit.

Key structural parallels:

• Small container, hidden contents — a fortune cookie is physically small and externally uninformative. You cannot tell what message it contains by looking at it. The metaphor maps this onto web cookies: tiny data tokens whose contents are not visible to the casual user. The opacity is structural, not incidental — the whole point is that the carrier (browser, dinner guest) does not need to understand the contents to transmit them faithfully.
• The handoff at the end of a transaction — fortune cookies are given at the end of a meal. Web cookies are set at the end of a server response. Both establish a link between a completed interaction and a future one. The cookie’s structural role is to bridge the gap between encounters that are otherwise stateless — the restaurant does not remember you, and HTTP does not remember you, but the cookie creates continuity.
• Opaque token passing — the Unix “magic cookie” was an opaque data blob passed between programs. The intermediary program did not inspect the cookie; it just passed it along. This maps the sealed fortune cookie (you carry it from the restaurant to your table without reading it mid-transit) onto a data-passing protocol. The opacity is a feature, not a limitation.
• The name domesticates the function — calling a tracking mechanism a “cookie” frames it as harmless, small, and vaguely pleasant. The food metaphor imports the connotations of treats and rewards, softening what is functionally a surveillance token. This domestication is not accidental: Montulli chose a word that would not alarm users, and the framing succeeded so well that “cookie” remained the standard term even as tracking cookies became the foundation of the surveillance advertising industry.

Limits

• The hidden-message direction is reversed — in a fortune cookie, the message is a surprise to the recipient. In a web cookie, the message was written by the server and is only meaningful to the server. The recipient (the browser user) neither chose the message nor typically benefits from its contents. The fortune cookie metaphor implies a gift; the web cookie is closer to a tracking tag attached to your ankle.
• Scale destroys the metaphor — a fortune cookie is one message in one cookie. A modern browser carries hundreds or thousands of cookies, and third-party tracking cookies link a user’s activity across thousands of unrelated sites. The confection metaphor cannot accommodate the industrial-scale tracking infrastructure that cookies enable. One cookie is a harmless token; ten thousand cookies are a surveillance apparatus. The metaphor only covers the first case.
• Persistence contradicts the food metaphor — food is consumed and gone. Cookies persist. A tracking cookie set in 2020 may still be active in 2026. The food-and-cooking frame imports ephemerality that web cookies do not possess, which contributed to decades of user complacency about cookie persistence. People treat cookies as disposable because the name tells them cookies are disposable.
• The “accept cookies” consent pattern exploits the metaphor — when websites ask users to “accept cookies,” the food metaphor frames refusal as declining a gift. The structural reality — consenting to surveillance — is hidden behind the connotation of accepting a treat. The dead metaphor does active harm here: its domesticating effect is weaponized by consent dialogs that exploit the benign associations.

Expressions

• “Accept cookies” — consent dialog that exploits the food metaphor’s benign connotations
• “Cookie jar” — the browser’s cookie storage, extending the food metaphor to its container
• “Third-party cookies” — tracking cookies set by domains other than the one visited, where “third party” strains the original one-to-one handoff metaphor
• “Cookie crumbs” — traces left by cookie-based tracking, extending the food metaphor to debris
• “Clear your cookies” — deleting stored tracking data, framed as cleaning up after eating
• “Cookie-less future” — the post-third-party-cookie web, a phrase that only makes sense because the food metaphor is completely dead

Origin Story

The Unix “magic cookie” dates to at least the early 1980s, borrowed from “fortune cookie” via the metaphor of an opaque token carrying hidden information. The Jargon File (1983 edition) defines it as “something passed between routines or programs that enables the receiver to perform some operation.” The “magic” distinguished it from ordinary data by emphasizing the opacity: the intermediary does not understand the token, it just passes it along.

Lou Montulli adopted “cookie” for the web in 1994 when implementing state management for Netscape Navigator. HTTP is stateless — each request is independent — and Montulli needed a mechanism for servers to recognize returning browsers. He chose the term “cookie” from the Unix tradition, and the implementation shipped in Netscape Navigator 0.9beta. The original specification (RFC 2109, 1997) formalized cookies as “Set-Cookie” and “Cookie” HTTP headers.

The privacy implications were not apparent in 1994. By the early 2000s, DoubleClick and other advertising networks had turned cookies into the backbone of cross-site user tracking. The food metaphor — small, harmless, a treat — had done its domesticating work so effectively that the surveillance infrastructure built on cookies grew for over a decade before generating significant public concern. The EU Cookie Directive (2009) and GDPR (2018) represent the regulatory recognition that the metaphor had been concealing a fundamentally different reality.

References

• Montulli, L. “The irregular musings of Lou Montulli” — personal account of inventing web cookies (2013 blog post)
• Kristol, D. and Montulli, L. RFC 2109: HTTP State Management Mechanism (1997) — original cookie specification
• Raymond, E.S. The New Hacker’s Dictionary / Jargon File — “magic cookie” entry, tracing the Unix lineage
• Schwartz, J. “Giving the Web a Memory Cost Its Users Privacy,” New York Times (2001) — early reporting on cookie-based tracking