Skip to content
← Back to Blog

Wednesday, November 1st 2023

Understanding cookies

Learn how cookies function, how they are used by websites, and the importance of managing them for privacy and security.

Posted by

Avatar for lydiahallie

Lydia Hallie

Staff Developer Advocate

Cookies are small pieces of data stored by web browsers on a user's device at the request of web servers. They are sent back unchanged by the browser each time it accesses that server. Cookies allow the server to "remember" specific user information, facilitating functionalities like maintaining user sessions, remembering preferences, and tracking user behavior.

How Do Cookies Work?

Cookies are set by a combination of both the server and browser.

image 31.png
image 31.png
  1. First, when the user visits a website, the server can send a Set-Cookie header in its response. "This instructs the browser to save the cookie on the user's device.
  2. Once a cookie is stored, the browser includes it as the Cookie header for subsequent requests to the same domain or path. This behavior is configurable through attributes such as SameSite, HttpOnly, and Secure.
  3. Cookies have an expiration time set using the Expires or Max-Age attributes. After this time, the cookie is automatically deleted. If neither is set, the cookie is treated as a session cookie and is deleted when the browser is closed.

The Set-Cookie response header consists of a few elements that determine how the browser will treat the cookie. It consists of:

image 30 (1).png
image 30 (1).png
  • Name and Value: The actual data in the cookie. They form a pair like name=value.
  • Domain and Path: Define the scope of the cookie. The cookie will be sent only to requests made to the given domain and path.
  • Expires and Max-Age: Specify when the cookie will expire. Expires sets an exact date and time, while Max-Age sets a duration.
  • Secure: Indicates that the cookie should be sent only over HTTPS.
  • HttpOnly: Ensures client-side scripts cannot access the cookie. By ensuring cookies aren't accessible via JavaScript, you reduce the risk of them being stolen should an attacker manage to inject malicious scripts into your website (XSS).
  • SameSite: This attribute is crucial for cookie security and defines when the cookie should be sent to the server. It can be set to either Strict, Lax or None. This guide discusses the different configurations and their implications.

When working with cookies, it's essential to prioritize security. It’s good practice to:

  1. Use the Secure and HttpOnly attributes wherever applicable to enhance security.
  2. Set the SameSite attribute appropriately can help mitigate CSRF attacks.
  3. Limit Lifespan: Set cookies to expire as soon as they're no longer needed by setting the right max-age or expires values.
  4. Avoid Sensitive Data: Never store sensitive data like passwords or personal identification numbers directly in cookies.

Inspecting and debugging cookies is important in complex applications where security is crucial. Browsers usually provide a streamlined way to do this, such as Google Chrome's Developer Tools. To access Google Chrome's Developer Tools, press F12 or right-click and select "Inspect," then go to the "Application" tab. In the left-hand sidebar, you will find an expandable "Cookies" section under "Storage," which lists all the domains associated with the cookies stored in your current session.

By clicking on a domain, you can view all the cookies set by that domain in a table format. Each row provides detailed information such as the cookie's name, value, domain, path, expiration date, and security attributes like Secure, HttpOnly, and SameSite.

image 44 (1).png

This interface provides real-time updates, allowing you to monitor cookies as they are created, modified, or deleted while interacting with the web application. This makes it easier to troubleshoot issues such as incorrect cookie settings, session persistence problems, or any unexpected behavior related to cookie-based authentication. You can even manipulate cookie values or attributes directly within the Developer Tools, enabling you to simulate different scenarios and conduct thorough cookie testing and debugging.