The essentials of HTTP cookie attributes

Key Concepts

• Set-Cookie Header: The HTTP response header used by servers to instruct browsers to store cookies.
• Cookie Attributes: Metadata parameters (separated by semicolons) that define the scope, lifetime, and security of a cookie.
• Session Cookie: A cookie without an expiration attribute that is deleted when the browser session ends.
• Third-Party Cookie: A cookie sent with a request to a domain other than the one currently being visited (cross-site request).
• CHIPS (Cookies Having Independent Partitioned State): A mechanism that partitions cookies by the top-level site to prevent cross-site tracking while allowing cross-site functionality.

1. Scope Control: Domain and Path

These attributes determine which URLs are eligible to receive the stored cookie.

• Domain:
  • If set, the cookie is sent to the specified domain and all its subdomains.
  • If omitted, the cookie is restricted to the host that set it and is not sent to subdomains.
  • Constraint: Browsers reject cookies if the domain attribute does not match the server that set it.
• Path:
  • Controls the directory scope. If omitted, the cookie is sent only to requests within the same directory as the setting page.
  • If set (e.g., Path=/articles), the cookie is sent to that path and all sub-paths (e.g., /articles/breeds/).
  • Setting Path=/ ensures the cookie is sent with every request to the site.

2. Lifetime Management: Expires and Max-Age

• Expires: Sets a specific date and time for cookie deletion. Note that browsers may impose a maximum limit on this date.
• Max-Age: Defines the lifetime in seconds (e.g., Max-Age=86400 for one day).
• Session Cookies: If neither attribute is provided, the cookie is treated as a session cookie and deleted when the browser closes.

3. Security Attributes

• HTTPOnly: Prevents client-side JavaScript from accessing the cookie via document.cookie. This is a critical defense against Cross-Site Scripting (XSS) attacks.
• Secure: Ensures the cookie is only transmitted over encrypted HTTPS connections, protecting against intermediary (man-in-the-middle) attacks.
• Best Practice: Developers should set cookies as HTTPOnly and Secure whenever possible.

4. Cross-Site Behavior: SameSite

The SameSite attribute manages how cookies behave in cross-site contexts (e.g., iframes or external links).

• Strict: The cookie is only sent if the request originates from the same site where the cookie was set.
• Lax (Default): The cookie is sent for same-site requests and when the user follows a link to the origin site from an external site.
• None: The cookie is sent in all contexts, including cross-site requests.
  • Requirement: Must be used with the Secure attribute.

5. Advanced Privacy: Partitioned (CHIPS)

The Partitioned attribute introduces a "double-keying" mechanism.

• Mechanism: Cookies are keyed by both the top-level site and the domain that set them.
• Application: If website-A and website-B both embed an iframe from website-C, the cookie set by website-C on website-A is inaccessible to website-C on website-B.
• Benefit: This allows cookies to function in cross-site contexts (like iframes) even when third-party cookies are blocked, without enabling cross-site tracking.
• Requirement: Must be used with the Secure attribute.

Synthesis and Conclusion

Cookie attributes are essential tools for web developers to manage data security, privacy, and scope. By moving away from unrestricted cookies toward more granular controls—specifically HTTPOnly, Secure, and Partitioned (CHIPS)—developers can maintain necessary cross-site functionality while significantly reducing the risk of data leakage and unauthorized tracking. The transition to SameSite=Lax as a default and the adoption of partitioned storage represent the modern standard for secure and privacy-conscious web development.