Cookies enable stateful interactions over the stateless HTTP protocol.
Cookie attributes
- Domain: Which domains can access the cookie.
- Path: Which URL paths can access it.
- Expires/Max-Age: When the cookie expires.
- Secure: Only sent over HTTPS.
- HttpOnly: Inaccessible to JavaScript (XSS protection).
- SameSite: CSRF protection (Strict, Lax, None).
Types of cookies
- Session: Deleted when browser closes.
- Persistent: Saved until expiration date.
- First-party: Set by the visited domain.
- Third-party: Set by external domains (ads, analytics).
Use cases
- Authentication tokens (session IDs).
- Shopping cart persistence.
- User preferences.
- Analytics and tracking.
Security concerns
- Session hijacking: Steal cookies to impersonate users.
- CSRF: Force actions using victim's cookies.
- XSS: Steal cookies via JavaScript.
Best practices
- Set Secure and HttpOnly flags.
- Use SameSite=Strict for sensitive cookies.
- Encrypt sensitive cookie data.
- Implement CSRF tokens.
Explore More Web Security
View all termsCross-Site Request Forgery (CSRF)
An attack that tricks a victim into submitting unauthorized requests using their authenticated session.
Read more →Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Read more →HTML Entity Encoding
A method of representing special characters in HTML using named or numeric references to prevent interpretation as code.
Read more →HTTP Security Headers
Response headers that enable browser security protections against common web attacks.
Read more →JSON Web Token (JWT)
A compact, URL-safe token format used to securely transmit claims between parties in web applications.
Read more →Subresource Integrity (SRI)
A security feature that allows browsers to verify that files from CDNs have not been tampered with.
Read more →