A cookie is a small piece of data that a web server sends to a user's browser, which stores it and includes it in subsequent requests to the same server. Cookies enable stateful interactions over the inherently stateless HTTP protocol. They are most commonly used for session management (keeping users logged in), personalization (storing preferences), and tracking (recording user behavior across pages).
How It Works
When a server wants to set a cookie, it includes a Set-Cookie header in its HTTP response. The header specifies the cookie's name, value, and optional attributes that control its behavior. The browser stores the cookie and automatically includes it in future requests to the same domain via the Cookie header.
Cookie security attributes are critical for preventing attacks. The Secure flag ensures the cookie is only sent over HTTPS connections, preventing interception over unencrypted networks. The HttpOnly flag prevents JavaScript from accessing the cookie via document.cookie, defending against XSS-based session theft. The SameSite attribute controls whether the cookie is sent with cross-origin requests: Strict prevents cross-site sending entirely, Lax allows it for top-level navigations, and None allows unrestricted cross-site sending (requiring the Secure flag).
The Domain attribute defines which domains receive the cookie, while the Path attribute restricts it to specific URL paths. The Expires or Max-Age attributes control the cookie's lifetime. Session cookies (without expiration) are deleted when the browser closes, while persistent cookies remain until their expiration date.
Why It Matters
Cookies are the primary mechanism for session management in web applications, making their security configuration essential. Missing HttpOnly flags enable session hijacking through XSS. Missing SameSite attributes can facilitate cross-site request forgery. Overly broad Domain settings can expose cookies to subdomains that may be less secure. Security assessments examine cookie attributes on every authenticated application to ensure sessions are properly protected.
Need your application tested? Get in touch.