Page content

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.


  • Name
  • Content
  • Domain
  • Path
  • Secure
  • Expires
  • HttpOnly
  • SameSite

Name / Content

Name=CONTENT (key, value pair) Name: Cookie Name Content: Cookie Value (Random, unguessable) Example: jsessionid=1234


For which Domain(s) is the Cookie valid / sent to.

Recommendation: don’t set domain or set domain restrictive


path=/ -> Cookie will be sent for /, /index.html, /dir/bla.html path=/pub -> Cookie will be sent for /pub and URL’s starting with /pub (/pub/egal, /pub/bliblablu)

Recommendation: Set it restrictive


Limit Cookie to be sent over https only !


The easiest one :) If not set -> it’s a Session Cookie and valid as long the Browser Process is running expire Jan 2025 xx xx xx -> Valid until this Date. These ones have a bad reputation

Recommendation: don’t set it


Can Cookie be accessed with Java-Script ? HttpOnly -> No Javascript access allowed

Recommendation: set it !

SameSite (added Nov 2017)

SameSite prevents the browser from sending this cookie along with cross-site requests. SameSite=(Strict|Lax)

Recommendation: set it to Strict!


sha256: 58bedbd2275df4616eb5b20b3e320ea6188b0dcdeba979b71e718a5d3e43fe26