Question 1

What are HTTP cookies?

Accepted Answer

HTTP cookies are small data pieces stored by browsers, sent with every request to same domain. Used for: session management (login state), personalization (preferences), tracking (analytics, ads). Set via Set-Cookie header or JavaScript document.cookie. Contains: name, value, expiration, domain, path, security flags. Types: session cookies (temporary), persistent cookies (long-lived), first-party (same domain), third-party (different domain). GDPR requires consent for non-essential cookies.

Question 2

What is the HttpOnly flag?

Accepted Answer

HttpOnly flag prevents JavaScript access to cookies via document.cookie. Mitigates XSS attacks - stolen session cookies via script injection. Example: Set-Cookie: sessionid=abc123; HttpOnly. Cookie still sent in HTTP requests but hidden from client-side scripts. Essential for authentication cookies. Not bulletproof - XSS can still make authenticated requests (CSRF). Use with: Secure flag, SameSite, CSP. Check: browser DevTools Application tab shows HttpOnly column.

Question 3

What is the Secure flag?

Accepted Answer

Secure flag ensures cookies only transmitted over HTTPS, never unencrypted HTTP. Prevents eavesdropping on unsecured networks. Example: Set-Cookie: token=xyz789; Secure. Required for sensitive data (sessions, auth tokens, personal info). Modern browsers require Secure for SameSite=None cookies. Local development: use localhost (exempt) or HTTPS proxy. All production cookies should use Secure flag. HTTP sites cannot set Secure cookies.

Question 4

What is SameSite attribute?

Accepted Answer

SameSite prevents CSRF attacks by controlling when cookies sent in cross-site requests. Three values: Strict (never sent cross-site, safest), Lax (sent on top-level navigation GET, default), None (always sent, requires Secure flag). Example: Set-Cookie: id=123; SameSite=Strict. Use Strict for sensitive actions (banking), Lax for general sites, None for third-party integrations (OAuth, payment). Modern browsers default to Lax if omitted.

Question 5

How to set cookie expiration?

Accepted Answer

Two attributes: Expires (specific date) or Max-Age (seconds from now). Example: Expires=Wed, 21 Oct 2025 07:28:00 GMT or Max-Age=3600 (1 hour). Session cookies: omit both attributes, deleted when browser closes. Persistent cookies: set expiration. Security: short-lived tokens (minutes-hours), long-lived remember-me (days-weeks). Auto-renewal: refresh token before expiry. Privacy: GDPR limits persistent cookie duration. Use Max-Age (easier calculation).

Question 6

What are first-party vs third-party cookies?

Accepted Answer

First-party cookies: set by visited domain (example.com on example.com). Used for: sessions, preferences, analytics. Third-party cookies: set by different domain (ads.tracker.com on example.com). Used for: cross-site tracking, retargeting, analytics. Browser trends: Safari/Firefox block third-party by default, Chrome phasing out 2024-2025. Alternatives: first-party data collection, server-side tracking, Privacy Sandbox. GDPR requires explicit consent for non-essential cookies (both types).

Question 7

How to secure authentication cookies?

Accepted Answer

Best practices: 1) HttpOnly flag (prevent XSS theft). 2) Secure flag (HTTPS only). 3) SameSite=Strict or Lax (prevent CSRF). 4) Short expiration (15-60 min). 5) Prefix: __Host- or __Secure- (enforces Secure + domain restrictions). 6) Cryptographic signing (HMAC-SHA256). 7) Regenerate session ID after login. 8) Clear cookies on logout. Example: Set-Cookie: __Host-sessionid=abc; Secure; HttpOnly; SameSite=Strict; Max-Age=3600.

Question 8

What are cookie prefixes?

Accepted Answer

Cookie prefixes enforce security requirements: __Secure- prefix requires Secure flag and HTTPS. __Host- prefix requires: Secure flag, no Domain attribute (exact domain only), Path=/. Example: __Host-token=xyz forces most restrictive settings. Prevents: subdomain/related-domain cookie injection, downgrade attacks. Browser enforces requirements - invalid combinations rejected. Use __Host- for maximum security (auth tokens), __Secure- for general secure cookies. Not widely adopted yet but recommended.

Cookie Analyzer

Need Professional IT Services?

References & Citations

Key Security Terms

HTTP Cookie

Frequently Asked Questions