Link Search Menu Expand Document
Table of contents

1 - Creating Cookies: 2 methods

  • Use javascript - document.cookie in the console
  • Use Web server - set-cookie header

2 - Cookie Properties

  • Sent with every request

    • testing URL: example.com
    • adding document.cookie="example=1" directly to console
    • Check on application > cookie, see the cookie output

  • Cookie Scope

    • Domain - defining with domain
      • document.cookie="cookieExample=1; domain=.example.com"
      • domain=.example.com is making this cookie available in all subdomain, similar to *.example.com.
      • You can see cookie under request header
    • Path - defining with path
      • req: document.cookie=”examplePath1=1; path=/path1”
      • “examplePath1=1; path=/path1”
      • req: document.cookie=”examplePath2=2; path=/path2”
      • “examplePath2=2; path=/path2”

  • Expires, Max-age

    • In console req: document.cookie="tempCookie=9; max-age=3"
      • 3 = 3 second.

  • Same site

    • document.cookie="superSecretCookie=2; samesite=strict"
    • document.coolie="laxCookie=1; samesite=lax"

3 - Cookie Type

  • Session cookie - when close browser, cookie gets cleared
  • Permanent cookie - maxage set with expiry

  • HttpOnly cookie - people cannot do document.cookie

      res.setHeader("set-cookie", ["setFromServer=6", "canNotSeeThis=1; httponly"])
  • Secure cookie - only available over HTTPS protocol
  • Third party cookie
  • Zombie cookie - user delete cookie and it auto re-generate
    • server knows you, eTags
    • eTags is mechanism of cache

4 - Cookie Security

  • Stealing cookies
  • Cross site request forgery

Install Express 

npm install express --save