Everything You Need to Know About Cookie Stuffing

Reading time: 7 minutes

It would seem that web browser programmers are always hungry if they’re using food names like spam, bread crumbs, java, cookies, and so on for data terms and programming language. The term cookie was actually named after the fortune cookie, as it’s a “cookie with an embedded message,” so to speak. So, it’s quite possible that the programmer who invented cookies was eating Chinese food at the time.

All jokes aside, cookies have a pretty important purpose in the programmatic advertising world. Unfortunately, where there are cookies there are also ad fraudsters who like to use cookie stuffing to take advantage of the embedded messages within the cookies for personal gain.

Here’s everything you need to know about cookie stuffing so you can prevent ad fraudsters from negatively impacting your bottom line: 

What Exactly Is a Cookie?

Cookies (also referred to as data cookies or HTTP cookies) are teeny-tiny files containing both user and website-specific data. If you’re familiar with first-party, second-party, third-party, and even zero-party data, then you’re familiar with cookies — because that’s exactly what they are. 

Cookies play an essential role in programmatic advertising and affiliate marketing because they collect user data by allowing websites to remember visitors through data permissions, logins, shipping carts, and more. The primary purpose of collecting cookies is to provide a more personal and convenient website experience for visitors each time they return. This would include serving up the most relevant ads to each individual visitor.

Unfortunately, since data cookies store important and often private user data, it makes them incredibly vulnerable to cybercriminals.

What Is the Makeup of a Cookie?

As you’re already aware, when we talk about data cookies, we’re talking about user data — generally speaking. But what exactly is the makeup of a data cookie, aside from just the user data it contains?

In a nutshell, cookies are designed within a specific framework that defines what type of information can be stored or passed through each data bit. 

Here’s the breakdown of a data cookie:

  • Its name. While they’re referred to as cookies, these data bits are often given a formal name that describes the text files within them.
  • Its value. Value refers to the actual data or information within the cookie. This information is usually encrypted, especially if it contains sensitive information such as a user’s account information.
  • Its expiration date. Certain cookies are only active for so long. For example, automatic login credentials will expire after a certain amount of time, prompting a user to manually enter their account information. Also, each time a user visits a website now they’re typically prompted by a data permission set governed by the CDPA’s data privacy laws. While certain user information is stored, the permission is not, which is why you have to accept/reject/manage data settings each time you visit the same site. The expiration date will depend entirely on the cookie’s purpose.
  • Its path. Each cookie is programmed for a specific purpose, which is where it’s path comes into play. Its path — which is its URL — defines which page or how many pages may access and use each cookie.
  • Its domain. A cookie’s domain is essentially the cookie’s acquirer, as in the owner of the site being visited or the company purchasing it. If the cookies are coming directly from the site, they’re referred to as first-party cookies whereas second- and third-party cookies are purchased from first-party cookie holders. 

Session Cookies Vs Persistent Cookies

While there are several types of data cookies, as characterized by their makeup, each type calls into one of two categories: Session and persistent.

Session cookies get stored in random access memory (RAM) but never saved onto a hard drive of any kind. This is because they are only used while a visitor is navigating through a website. Therefore, when the visitor’s session ends, the cookies automatically get deleted. 

These sessions, or navigational cookies also work to help with the “back button” on most web browsers as well as third-party plugins designed to secure user privacy.

Persistent cookies, on the other hand, are meant to remain on a computer or browser indefinitely. However, some persistent cookies will still include an expiration date and are automatically removed when that date approaches.

Persistent cookies have two specific purposes — authentication and tracking. These types of cookies will track whether or not a user is logged in and which name they’re using. They’ll also “remember” login information so users don’t have to write down passwords or commit them to memory. They also track the number of visits a user makes to the same site over time, which allows them to curate a more customized experience for the individual user.

Both types of cookies are often used in conjunction with one another, especially when it comes to eCommerce sites where merchants sell their products or services directly online. 

What Is Cookie Stuffing and How Does it Work?

The most important thing to understand about cookie stuffing is that it’s a tremendous issue in the affiliate marketing world. Affiliate marketing refers to the process of one business paying another for bringing in valid ad clicks or sales for retail sites. It’s essentially a chain of commissions.

Cookie stuffing, otherwise known as “cookie dropping,” is when a third party (the fraudulent affiliate) drops a bunch of affiliate cookies in a user’s browser. They do this to gain the commission from any sales made by said user — instead of the real affiliate party. 

It’s kind of like number spoofing, but no one is calling you to ask for your social security number to steal your identity. Instead, they’re spoofing your data to steal someone else’s commission.  

Here’s an example:

Let’s say you’re a web publisher who’s partnered up with a retail brand via a cost per advertising (CPA) market to advertise their products or services. Any visitors you send their way through your advertisements that make a purchase earn you a certain percentage of said sale — aka, a commission.

However, if the visitor in question has a browser full of third-party cookies without their knowledge or yours, that third party will take a piece of that commission even though they had nothing to do with the actions that led up to that transaction.

How Ad Fraudsters Carry Out the Act of Cookie Stuffing

There are several ways in which ad fraudsters are able to stuff cookies into a user’s browser without them knowing. As a publisher, it’s essential to understand each method to prevent yourself from also unknowingly installing malicious extensions or scripts that allow these third-party cookies through.  

Here are the various ways in which ad fraudsters implement cookie stuffing to steal others’ commissions:

They Use Pop-Ups

Pop-up ads are everywhere these days as they’ve become a necessary evil for retail websites trying to get subscribers, make sales using discounts as incentives, promote offers, and so on. 

They’ve also become a straightforward way to stuff cookies into unknowing users’ browsers. This is because many pop-up extensions come from third parties that publishers have to download and install separately. So, before installing any third-party pop-up plugins onto your CMS or placing them as scripts throughout your pages, make sure they don’t come with any “affiliate cookies.”

They Hide Them in Iframes

Iframes are typically used to embed pieces of HTML within an existing HTML. For example, native ads within web pages. 

Most vendors will ask that you embed an iframe right inside your pages that have the capacity to load affiliate URLs. This allows cookies to be written onto users’ browsers, which also provides third-party ad fraudsters with the opportunity to drop their own cookies.  

Fortunately, most iframes designed for ads are transparent. You’ll be able to see the parameters for each iframe, including its library of URLs and coding before placing them throughout your pages. Just remember to check the coding before installing.

They Use JavaScript Against You

Javascript is often used to redirect visitors to any type of page where affiliate cookies can be written. It’s one of the more obvious issues in the programmatic advertising world.

Fortunately, there are ways for both publishers and users to prevent forced redirects

They Disguise Them in Style Sheets

Cascading style sheets (CSS) are also used to cloak affiliate cookie URLs by disguising them as images and rendering them directly onto web pages. This is why it’s important to keep track of your CSS library files so that there aren’t any “unknown” files that can be called upon while your web pages render. 


There are plenty of techniques used by ad fraudsters to interrupt your ad serving and steal your revenue. Cookie stuffing, however, is a technique that directly impacts legitimate affiliate publishers’ bottom lines. What’s more, is that cookie stuffing is implemented from both the publisher’s side and the user’s side from scripts to fraudulent extensions. 

Most users have no idea what’s happening, as it doesn’t necessarily affect them. That’s why publishers must be on top of the parameters within any scripts, extensions, plugins, and so on to ensure that they’re preventing cookie stuffing on their end. 

Recent Articles

Stay connected

Don't miss out on the latest news, events and special announcements.

By submitting this form, you agree that you've read and accept our Privacy Policy as well as to receive communications from HeaderBidding.com. You may unsubscribe at any time.

Related Articles

Leave A Reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay connected

Don't miss out on the latest news, events and special announcements.

By submitting this form, you agree that you've read and accept our Privacy Policy as well as to receive communications from HeaderBidding.com. You may unsubscribe at any time.