Cookies

Web
Page content

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

Attribute

  • Name
  • Content
  • Domain
  • Path
  • Secure
  • Expires
  • HttpOnly
  • SameSite

Name / Content

Name=CONTENT (key, value pair) Name: Cookie Name Content: Cookie Value (Random, unguessable) Example: jsessionid=1234

Domain

For which Domain(s) is the Cookie valid / sent to.

Recommendation: don’t set domain or set domain restrictive

Path

path=/ -> Cookie will be sent for /, /index.html, /dir/bla.html path=/pub -> Cookie will be sent for /pub and URL’s starting with /pub (/pub/egal, /pub/bliblablu)

Recommendation: Set it restrictive

Secure

Limit Cookie to be sent over https only !

Expires

The easiest one :) If not set -> it’s a Session Cookie and valid as long the Browser Process is running expire Jan 2025 xx xx xx -> Valid until this Date. These ones have a bad reputation

Recommendation: don’t set it

HttpOnly

Can Cookie be accessed with Java-Script ? HttpOnly -> No Javascript access allowed

Recommendation: set it !

SameSite (added Nov 2017)

SameSite prevents the browser from sending this cookie along with cross-site requests. SameSite=(Strict|Lax)

Recommendation: set it to Strict!

Summary

sha256: 58bedbd2275df4616eb5b20b3e320ea6188b0dcdeba979b71e718a5d3e43fe26