Let me try to help with an analogy that I use when I’m teaching people about the Web. A cookie… is like a visitor ID badge.
There are lots of buildings that, if you visit, will give you a temporary visitor ID card or badge. Mine does! Often, they’ll look like this: just a badge with a number on it; they’ll just it to check that you’re allowed to be on the premises. Now in Web City, most of the buildings will give you a visitor badge and expect you to wear it: even if they let anybody visit most of the offices (which is pretty common – most websites are at least mostly open to the public without logging in), you’ll often still be given a visitor badge. This is your cookie.
In Web City, most visitor badges just have a number on them, rather than your name. Why? Because just like in the real world, visitor passes are really easy to forge (in fact, they’re actually easier to forge: you could type anything you want onto your visitor badge). There are countermeasures to this, but for the most part it’s true to say that when you get a visitor pass in Web City, it just has a number on it. So when you come to Reddit for the first time you get a visitor pass with a long random number on it, even if you’re just browsing anonymouslu and you’re not logging in.
That’s important, because it means that the owners of the building can, if they want, track you around their building. For instance, whenever you visit somebody’s office in that building, the occupant of that office can record the number on your visitor pass along with the date and time and what you asked about when you were there. And later, the building owners can read all of these logs to work out what you did while you were in their building, or they can amalgamate statistics from all of their visitors to spot trends: the people on the Amazon building might notice that people who put lots of expensive things in their basket are more likely to be “window shopping” and will never make it to the checkout, for example. And most people keep their visitor passes until their next visit, too, so it’s also possible to spot longer term trends about how people come and go – even though they’re “anonymous” the fact that you’ve given them each a unique number makes them not-anonymous, merely unidentified!
You can throw away your visitor pass, of course (this is called “clearing your cookies”, especially if you throw away all of them at once). Some people are set up to automatically throw away their visitor passes as soon as they don’t need them any more, for example (this is approximately what Incognito Mode/Private Browsing does with cookies). But you’ll usually just get given another one seconds later if you’re still in the building. Throw out your Reddit visitor pass abs you’ll get a fresh one (with a new number) the very best time you do anything in the Reddit building.
One of the most important uses for visitor passes/cookies is authentication: proving you are who you say you are. The /r/MegaLounge office in the Reddit building has a “guest list”, for example, of people who are allowed in (incidentally, so does your message inbox, although it’s a guest list of one!). So how does the guard at the entrance of /r/MegaLounge know who to let in? Here’s how: in the Reddit building, you always have the option of going to the Log In Office and proving your identity by telling them your username and password. If this convinces the staff there that you are week you claim to be, they make a record in their list of (a) your username, and (b) the number on your visitor badge. This list is shared with the security guards around the building (including the one that guards /r/MegaLounge), so when you turn up they can look at your visitor badge and cross-reference it against the list maintained by the Log In Office to work out who you are. Then they can check that name against the guest list to see if you’re allowed in. Simple!
The thing you’ll note is odd (compared to most real world visitor badges) is that the folks in the Log In Office don’t change what’s written on your visitor badge! When a guard wants to know who you are, they don’t read it from your badge: they read the number from your badge and then look up whether that number has recently been worn by somebody who proved their identity to the Log In Office. There are a few reasons for this: firstly, there’s the forgery issue – if all I have to do is write “/u/Greypo” on my badge with a crayon and then be able to pretend to be him, that’s no use! Secondly, there’s a size limit on visitor badges, and the more you put on them the more cumbersome they are (nobody wants a visitor badge that they have to drag around!). Putting a really big random number on the cards solves these problems. Sure: you could change the number on your card, but it’d take millions of billions of guesses before you picked one that already belonged to somebody else (and even then, it probably won’t be so you were aiming to impersonate!).
(There’s a slight weakness in the analogy at this point, because some buildings in Web City do put everything in plain view on the card – making the lives of their guards easier – but then use cryptography to maybe it hard to forge changes without getting caught.)
So that’s the essentials of the analogy: cookies are like randomly numbered visitor passes that are given out freely and can be changed (or disposed of) freely by the person wearing them, but they’re still a safe way to identify people because the ID numbers are give and security staff keep a separate log of which badge numbers correspond to which people.
(I like this analogy because it extends well, too: if you’re interested in the major privacy and security concerns about cookies, I can explain them in the framework of this model too – just shout!)