Notes
- Your session should always be passed in a session cookie and note stored in local storage
Flags
The Secure Flag
Set-Cookie: Secure;
- Ensures the cookie will only be sent over HTTPS
HTTPOnly Flag
Set-Cookie: HttpOnly;
- This means the flag can only be accessed server side. Clients cannot access this flag
Persistence
Set-Cookie: Expire=Mon, 1st Jan 2025 00:00:00 GMT;
- If a cookie does not delete after a session is closed it is considered persistent
- If you are collecting user data do not use this
Domain
Set-Cookie: Domain=app.NotMyDomain.com;
- You need to explicitly allow domains outside of the host that created the cookie to use it
Path
Set-Cookie: path=/test
- You can specify paths in your host where the cookie can only be accessed
Same-Site
Set-Cookie: same-site=Strict(or Lax);
- Enforces the rule that cookies can only come from within your site