HTTP Using cookies

Is a small piece of data that a server sends to a user’s web browser.

Cookies are mainly used for three purposes:

Session management
Logins, shopping carts, game scores, or anything else the server should remember

Personalization
User preferences, themes, and other settings

Tracking
Recording and analyzing user behavior

Cookies are sent with every request, so they can worsen performance Cookies are sent with every request, so they can worsen performance.

Creating cookies

After receiving an HTTP request, a server can send one or more Set-Cookie headers with the response. The browser usually stores the cookie and sends it with requests made to the same server inside a Cookie HTTP header.

Set-Cookie: <cookie-name>=<cookie-value>

HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry

[page content]

GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: yummy_cookie=choco; tasty_cookie=strawberry

You can specify an expiration date or time period
after which the cookie should be deleted and no
longer sent. They can be either permanent or session cookies.

Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;

Session cookies — cookies without a Max-age or
Expires attribute – are deleted when the
current session ends.

Restrict access to cookies

You can ensure that cookies are sent securely and aren’t accessed by unintended parties or scripts in one of two ways: with the Secure attribute and the HttpOnly attribute.

Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly

SameSite attribute

The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests. This provides some protection against cross-site request forgery attacks (CSRF).

Set-Cookie: mykey=myvalue; SameSite=Strict

Third-party cookies

If the domain and scheme are different, the cookie is not considered to be from the same site, and is referred to as a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain components stored on servers in other domains, such as images or other documents embedded in

Typical use cases for third-party cookies include sharing user profile information or collecting analytics across different related domains. They are also often used for advertising and tracking users across the web.