Home/Glossary/HTTP Cookie

HTTP Cookie

Small pieces of data stored by web browsers, used for session management, personalization, and tracking.

Web SecurityAlso called: "browser cookie", "web cookie"

Cookies enable stateful interactions over the stateless HTTP protocol.

Cookie attributes

  • Domain: Which domains can access the cookie.
  • Path: Which URL paths can access it.
  • Expires/Max-Age: When the cookie expires.
  • Secure: Only sent over HTTPS.
  • HttpOnly: Inaccessible to JavaScript (XSS protection).
  • SameSite: CSRF protection (Strict, Lax, None).

Types of cookies

  • Session: Deleted when browser closes.
  • Persistent: Saved until expiration date.
  • First-party: Set by the visited domain.
  • Third-party: Set by external domains (ads, analytics).

Use cases

  • Authentication tokens (session IDs).
  • Shopping cart persistence.
  • User preferences.
  • Analytics and tracking.

Security concerns

  • Session hijacking: Steal cookies to impersonate users.
  • CSRF: Force actions using victim's cookies.
  • XSS: Steal cookies via JavaScript.

Best practices

  • Set Secure and HttpOnly flags.
  • Use SameSite=Strict for sensitive cookies.
  • Encrypt sensitive cookie data.
  • Implement CSRF tokens.

Related Tools

Related Articles

View all articles
How to Extract and Analyze Cookies from Your Browser

How to Extract and Analyze Cookies from Your Browser

Learn how to view, export, and analyze HTTP cookies from Chrome, Firefox, Edge, and Safari using browser DevTools. Includes security analysis tips.

Read article →
What Do the Secure, HttpOnly, and SameSite Cookie Attributes Do?

What Do the Secure, HttpOnly, and SameSite Cookie Attributes Do?

Understand the critical security attributes for HTTP cookies—Secure, HttpOnly, and SameSite—and how they protect against XSS, CSRF, and man-in-the-middle attacks.

Read article →
What Does a GDPR Compliance Checker Scan For on Websites?

What Does a GDPR Compliance Checker Scan For on Websites?

Discover what automated GDPR compliance scanners analyze - from cookie consent and privacy policies to third-party trackers, SSL encryption, and data collection practices.

Read article →
What Are HTTP Cookies and Why Do Websites Use Them?

What Are HTTP Cookies and Why Do Websites Use Them?

Understand HTTP cookies—what they are, how they work, why websites need them, and the essential role they play in modern web applications and user experiences.

Read article →

Explore More Web Security

View all terms

CORS (Cross-Origin Resource Sharing)

A browser security mechanism that controls how web pages can request resources from different domains, preventing unauthorized cross-site data access.

Read more →

Cross-Site Request Forgery (CSRF)

An attack that tricks a victim into submitting unauthorized requests using their authenticated session.

Read more →

Cross-Site Scripting (XSS)

A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Read more →

HTML Entity Encoding

A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.

Read more →

HTTP Security Headers

Response headers that enable browser security protections against common web attacks.

Read more →

JSON Web Token (JWT)

A compact, URL-safe token format used to securely transmit claims between parties in web applications.

Read more →
Back to glossary