Http cookies

From wikinotes

HTTP Cookies are sent in response http headers from a web-server,
and stored in the browser.

Historically, they were used for authentication, and for session storage.

Documentation

MDN using cookies https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
MDN Set-Cookie https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
RFC-6265 https://datatracker.ietf.org/doc/html/rfc6265
RFC-6265-Attributes https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2
IETF-RFC-6265-05-draft https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05

Rules

  • only one Set-Cookie per HTTP request
  • At least 4096 bytes per cookie (name+value+attributes)
  • At least 50 cookies per domain
  • At least 3000 cookies total

Security Concerns

  • Cookies only distinguish hostnames
    • Cookies are shared by all ports on the same server
    • Cookies are shared by all schemes (http/https) on the same server
    • Cookies may not be strictly restricted by their designated path

Usage

Set/Submit Cookie

# HTTP header 'Set-Cookie' informs browser to save a cookie
Set-Cookie: "name=value"

# HTTP header 'Cookie' is sent with GET request automatically from browser
Cookie: "name="value"

Cookie Attributes

# example
Set-Cookie: id=asdf; Max-Age=60; Secure; HttpOnly
# Common Attributes
SameSite=Strict/Lax/None               # Strict(only send cookie to same server) Lax(only send if user navigates to server) None(always send)
Path=/                                 # All subdirectories receive cookie
Max-Age=3600                           # Seconds cookie is valid
Expires=Thu, 31 Oct 2021 07:28:00 GMT  # Expires at Datetime

Secure                                 # Only send cookie over HTTPS
HttpOnly                               # inaccessible to javascript

# Other Attributes
Domain=    # include cookie in requests for this domain

Cookie Prefixes

Cookie values can be set with prefixes that further restrict their usage.

Set-Cookie: __Secure-ID=123; Secure; Domain=example.com

__Secure-{cookiename}  # send cookie when: Secure defined, Domain not defined, Path=/
__Host-{cookiename}    # send cookie when: Secure defined, sent from secure origin