If a given web server can only read cookies from those set within its own domain, how do Internet advertisers track user's web traffic from websites outside of their network?
Is there some kind of "supercookie" global advertising system that allows advertisers to retrieve upper-level domain cookies and then query some server (from an affiliate) that houses information about where that user has been?
Update:
To clarify my question, is it possible for an advertiser that publishes ads on "example2.com" to ascertain that I visited a particular site "example1.com" if they had never served an ad on a page from "example1.com"?
There is no need for a "supercookie". Each server reads its own domain's cookies. The servers pass information to each other through URLs. (Or, less commonly, through backchannels.)
For example, say you go to
example.com
. You have anexample.com
cookie that readsuser=1032354
. You retrievehttp://www.example.com
. Of course, you send your cookie to the web server, which outputs the following in the web page:Of course, when your browser goes to
www.advertiser.example
to get the image, it happily sends theadvertiser.example
cookie. Now, the server atadvertiser.example
knows which user you are on its site (from the cookie you sent it) and which user you are onexample.com
(from the URL).With the backchannel method, it operates more like this:
1) You go to
www.example.com
and send it yourexample.com
cookie.2) The web server at
example.com
gets your user ID from the cookie and sends a JSON request toadvertiser.example
to create a session for you. It passes it yourexample.com
user ID.3) The web server outputs an image link to
advertiser.example
with the session ID created in step 2.4) When your browser connects to
advertiser.example
, it sends theadvertiser.example
cookie in the headers and the session ID in the URL.5) The server at
advertiser.example
can now associate your session with their own user record and your user record atexample.com
and it can output an appropriate ad.It can also be done through referrers.
Update: No cookie is needed at the main sites. A single advertiser cookie will do.
1) You go to a site, you send no cookie. The site assigns you a new session.
2) The web page has an embedded image link to the advertiser's site with the session embedded in the URL.
3) You fetch the embedded image, sending your session ID (in the URL) and your cookie (for the advertiser's site).
4) The advertiser now associates your session on the main site with your account in their database. It communicates this to the site's web server through a back channel, embedded in an URL, or other means.