Cookie

Cookie
Cookie Attributes
Multiple Attributes
Ref

Cookie

Cookie is important for Web Application.

HTTP is stateless, so to keep user info (login, access etc…) client side data is key to check status.

But, we sometime use cookie without understanding. Also, these days, cookie is strict to use for tracking purpose.

Create Cookie

Server Response : Set-Cookie Header
Set-Cookie: cookie-name=cookie-value

Ex)

Multiple Cookies
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: key1=value1
Set-Cookie: key2=value2

Send Cookie

Server Request : Cookie Header

Cookie and Session Cookie

Session Cookie : Save into browser memory. So, remove cookie when close a browser.

If Expires, Max-Age are not set, this is session cookie

Cookie : Save into file in browser. Now clear when the user close a browser.

Cookie Attributes

Expires
Max-Age
Domain
Path
Secure
HttpOnly
SameSite

Expires

The maximum lifetime of the cookies as an HTTP-date timestamp.

Max-Age

Domain

Host to which the cookie will be sent
If set subdomain, pararent domain is rejected
If set parent domain, subdomain is included
Leading dots in domain names are ignored

Set-Cookie: cookie-name=coookie-value; Domain=example.com

Path

A path that must exist in the requested URL, or the browser won’t send the Cookie header

Set-Cookie: cookie-name=coookie-value; Path=/docs

Secure

Cookie is only sent to the server when a request is made with the https: scheme

Set-Cookie: cookie-name=coookie-value; Secure

HttpOnly

Forbids JavaScript from accessing the cookie
document.cookie

Set-Cookie: cookie-name=coookie-value; HttpOnly

SameSite

Controls whether a cookie is sent with cross-origin requests
Protect against cross-site request forgery attacks

Strict	The browser sends the cookie only for same-site requests If the request originated from a different URL than the current one, no cookies with the SameSite=Strict attribute are sent
Lax	The cookie is not sent on cross-site requests, such as calls to load images or frames, but is sent when a user is navigating to the origin site from an external site
None	The browser sends the cookie with both cross-site and same-site requests The Secure attribute must also be set

If you need to use cookie from other web site, need to use None

Set-Cookie: cookie-name=cookie-value; SameSite=None

Multiple Attributes

Add using ; as seprator

Set-Cookie: cookie-name=cookie-value; Domain=domain-value; Secure; HttpOnly

Ref

Set-Cookie MDN Web Docs