Http cookies
From wikinotes
HTTP Cookies are sent in response http headers from a web-server,
and stored in the browser.
Historically, they were used for authentication, and for session storage.
Documentation
MDN using cookies https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies MDN Set-Cookie https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie RFC-6265 https://datatracker.ietf.org/doc/html/rfc6265 RFC-6265-Attributes https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2 IETF-RFC-6265-05-draft https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05
Rules
- only one Set-Cookie per HTTP request
- At least 4096 bytes per cookie (name+value+attributes)
- At least 50 cookies per domain
- At least 3000 cookies total
Security Concerns
- Cookies only distinguish hostnames
- Cookies are shared by all ports on the same server
- Cookies are shared by all schemes (http/https) on the same server
- Cookies may not be strictly restricted by their designated path
Usage
Set/Submit Cookie
# HTTP header 'Set-Cookie' informs browser to save a cookie Set-Cookie: "name=value" # HTTP header 'Cookie' is sent with GET request automatically from browser Cookie: "name="value"Cookie Attributes
# example Set-Cookie: id=asdf; Max-Age=60; Secure; HttpOnly# Common Attributes SameSite=Strict/Lax/None # Strict(only send cookie to same server) Lax(only send if user navigates to server) None(always send) Path=/ # All subdirectories receive cookie Max-Age=3600 # Seconds cookie is valid Expires=Thu, 31 Oct 2021 07:28:00 GMT # Expires at Datetime Secure # Only send cookie over HTTPS HttpOnly # inaccessible to javascript # Other Attributes Domain= # include cookie in requests for this domainCookie Prefixes
Cookie values can be set with prefixes that further restrict their usage.
Set-Cookie: __Secure-ID=123; Secure; Domain=example.com __Secure-{cookiename} # send cookie when: Secure defined, Domain not defined, Path=/ __Host-{cookiename} # send cookie when: Secure defined, sent from secure origin