Can cookies carry viruses?

You can put any text strings into a cookie, so in theory you could put some kind of code there. But for code to do any harm something needs to run it. The web browser does not interpret the content of cookies as code and does not try to run it, so cookies should not be dangerous. (If you have heard cookies being referenced in security related discussions, it is probably in relation to privacy and not viruses.)

In theory there could be a bug in the browser that makes it possible to craft a special cookie that somehow fools the browser to run it, e.g. by causing a buffer overflow. Such a bug is quite unlikely in a major browser, and if you could find one it would be considered a big deal.

So I would not worry about cookies infecting me with a virus. However it is possible to be infected by malware from just visiting a website. This is called "drive by downloads" and is nowadays a common method to spread viruses. The vector that is exploited for this is generally not cookies though, but plugins like Java or Flash.


In addition to Anders' excellent answer, there was a vulnerability in Internet Explorer 5 and 6 which allowed a malicious cookie to be set that could then read or set other sites cookie values.

Article here.

An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the page executed and invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.

While not a virus as such, your browser could be "infected" by this script in a cookie that the attacker could then use to compromise your browser. However, regarding the cookie here it is more about the mechanism used for the exploit rather than the browser being infected, because only malicious sites can use the cookie and it won't be invoked when benign sites are visited.


Cookies can only transfer TEXT values, meaning it cannot harm your computer stand-alone, but it can contain very important informations, that can be used against you if stolen. Read about Session hijacking, and you will understand what specificaly the exploiter can use it for.