An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
Cookies are mainly used for three purposes:
Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is now recommended to use modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API (
sessionStorage) and IndexedDB.
To see stored cookies (and other storage that a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage tree.
After receiving an HTTP request, a server can send one or more
Set-Cookie headers with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a
Cookie HTTP header. An expiration date or duration can be specified, after which the cookie is no longer sent. Additional restrictions to a specific domain and path can be set, limiting where the cookie is sent. For details about the header attributes mentioned below, refer to the
Set-Cookie reference article.
Set-Cookie HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:
This shows the server sending headers to tell the client to store a pair of cookies:
HTTP/2.0 200 OK Content-Type: text/html Set-Cookie: yummy_cookie=choco Set-Cookie: tasty_cookie=strawberry [page content]
GET /sample_page.html HTTP/2.0 Host: www.example.org Cookie: yummy_cookie=choco; tasty_cookie=strawberry
Set-Cookieheader in various server-side applications:
The lifetime of a cookie can be defined in two ways:
Expiresattribute, or after a period of time specified by the
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
Note: When an
Expires date is set, the time and date set is relative to the client the cookie is being set on, not the server.
If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever the user authenticates. This technique helps prevent session fixation attacks, where a third party can reuse a user's session.
There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the
Secure attribute and the
A cookie with the
Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a man-in-the-middle attacker. Insecure sites (with
http: in the URL) can't set cookies with the
Secure attribute. However, do not assume that
HttpOnly attribute is not set).
A cookie with the
HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.
Here is an example:
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
Path attributes define the scope of the cookie: what URLs the cookies should be sent to.
Domain attribute specifies which hosts are allowed to receive the cookie. If unspecified, it defaults to the same origin that set the cookie, excluding subdomains. If
Domain is specified, then subdomains are always included. Therefore, specifying
Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
For example, if
Domain=mozilla.org is set, then cookies are available on subdomains like
Path attribute indicates a URL path that must exist in the requested URL in order to send the
Cookie header. The
%x2F ("/") character is considered a directory separator, and subdirectories match as well.
For example, if
Path=/docs is set, these paths match:
SameSite attribute lets servers require that a cookie shouldn't be sent with cross-origin requests (where Site is defined by the registrable domain), which provides some protection against cross-site request forgery attacks (CSRF).
It takes three possible values:
Strict, the cookie is sent only to the same site as the one that originated it;
Lax is similar, with an exception for when the user navigates to a URL from an external site, such as by following a link;
None has no restrictions on cross-site requests.
Here is an example:
Set-Cookie: mykey=myvalue; SameSite=Strict
The values of
SameSite attribute are case-insensitive.
Browsers are migrating to have cookies default to
SameSite=Lax. If a cookie is needed to be sent cross-origin, opt out of the SameSite restriction by using the
None directive. The
None directive requires that the
Secure attribute also be used.
The design of the cookie mechanism is such that a server is unable to confirm that a cookie was set on a secure origin or even to tell where a cookie was originally set.
A vulnerable application on a sub-domain can set a cookie with the
Domain attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a session fixation attack. See session fixation for primary mitigation methods.
As a defence-in-depth measure, however, it is possible to use cookie prefixes to assert specific facts about the cookie. Two prefixes are available:
Set-Cookieheader only if it is also marked with the
Secureattribute, was sent from a secure origin, does not include a
Domainattribute, and has the
Pathattribute set to
/. In this way, these cookies can be seen as "domain-locked".
Set-Cookieheader only if it is marked with the
Secureattribute and was sent from a secure origin. This is weaker than the
Cookies with these prefixes that are not compliant with their restrictions are rejected by the browser. Note that this ensures that if a subdomain were to create a cookie with a prefix, it would either be confined to the subdomain or be ignored completely. As the application server checks for a specific cookie name only when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defence measure against session fixation.
On the application server, the web application must check for the full cookie name including the prefix—user agents do not strip the prefix from the cookie before sending it in a request's
For more information about cookie prefixes and the current state of browser support, see the Prefixes section of the Set-Cookie reference article.
HttpOnly flag is not set.
document.cookie = "yummy_cookie=choco"; document.cookie = "tasty_cookie=strawberry"; console.log(document.cookie); // logs "yummy_cookie=choco; tasty_cookie=strawberry"
Information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user. Depending on the application, it may be desirable to use an opaque identifier which is looked-up by the server or to investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens.
Ways to mitigate attacks involving cookies:
SameSiteattribute set to
Lax. (See SameSite cookies, above.) In browsers that support SameSite, this has the effect of ensuring that the authentication cookie is not sent with cross-origin requests, so such a request is effectively unauthenticated to the application server.
A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies. These are mainly used for advertising and tracking across the web. See for example the types of cookies used by Google. A third party server can build up a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. Firefox, by default, blocks third-party cookies that are known to contain trackers. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions. Cookie blocking can cause some third-party components (such as social media widgets) to not function as intended.
These regulations have global reach, because they apply to any site on the World Wide Web that is accessed by users from these jurisdictions (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among other things.)
These regulations include requirements such as:
Another approach to storing data in the browser is the Web Storage API. The window.sessionStorage and window.localStorage properties correspond to session and permanent cookies in duration, but have larger storage limits than cookies, and are never sent to a server. More structured and larger amounts of data can be stored using the IndexedDB API, or a library built on it.
© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.