Developer Playground
HTTP Cookie: The Core Mechanism of Web State Management
Table of Contents
What is HTTP Cookie?
An HTTP cookie (also known as web cookie or browser cookie) is a small piece of data that a server sends to a user's web browser. The browser stores it and sends it back with later requests to the same server.
- HTTP is a stateless protocol, so cookies are needed to remember state information
- Used for user authentication, shopping carts, user preferences, and more
- Core mechanism for maintaining state between server and client
- Standardized in RFC 6265
Cookie Structure
HTTP Cookies consist of a name-value pair and several attributes:
Set-Cookie: name=value; Domain=example.com; Path=/; Expires=Wed, 09 Jun 2021 10:18:14 GMT; Secure; HttpOnly; SameSite=Strict- name=value: The core data of the cookie
- Domain: Specifies the domain to which the cookie is sent
- Path: Specifies the path within the domain
- Expires/Max-Age: Cookie expiration time
- Secure: Only sent over HTTPS
- HttpOnly: Blocks JavaScript access
- SameSite: Prevents CSRF attacks
Cookie Attributes Detailed Analysis
Domain Attribute
Specifies the domain to which the cookie will be sent. If not set, it defaults to the current domain only.
// Valid only on current host
Set-Cookie: sessionId=abc123
// Valid on example.com and all subdomains
Set-Cookie: sessionId=abc123; Domain=example.com
// Valid only on specific subdomain
Set-Cookie: sessionId=abc123; Domain=api.example.comPath Attribute
Specifies the URL path for which the cookie should be sent.
// Sent with all paths
Set-Cookie: sessionId=abc123; Path=/
// Sent only with /admin path and sub-paths
Set-Cookie: adminToken=xyz789; Path=/admin
// Sent only with specific API path
Set-Cookie: apiKey=api123; Path=/api/v1Expires and Max-Age
Determine the cookie's lifetime. Without both attributes, the cookie becomes a session cookie.
// Session cookie (deleted when browser closes)
Set-Cookie: sessionId=abc123
// Using Expires (absolute time)
Set-Cookie: rememberMe=true; Expires=Wed, 09 Jun 2026 10:18:14 GMT
// Using Max-Age (relative time in seconds)
Set-Cookie: token=xyz789; Max-Age=3600 // 1 hour
// Deleting cookie (set to past time)
Set-Cookie: sessionId=; Expires=Thu, 01 Jan 1970 00:00:00 GMTSameSite Attribute
An important security attribute that prevents CSRF attacks by controlling when cookies are sent with cross-site requests.
// Strict: Only sent with same-site requests
Set-Cookie: sessionId=abc123; SameSite=Strict
// Lax: Allows cross-site requests for top-level navigation
Set-Cookie: sessionId=abc123; SameSite=Lax
// None: Sent with all cross-site requests (Secure required)
Set-Cookie: trackingId=xyz789; SameSite=None; SecureSecurity Considerations
Major Security Threats
1. Session Hijacking
Attack where an attacker steals a user's session cookie and impersonates them.
- Use HTTPS (Secure attribute)
- Prevent XSS with HttpOnly attribute
- Regular session token regeneration
- IP address validation
2. Cross-Site Request Forgery (CSRF)
Attack where malicious sites send unwanted requests using the user's credentials.
- Use SameSite attribute
- Implement CSRF tokens
- Validate Referer header
- Double Submit Cookie pattern
3. Cross-Site Scripting (XSS)
Attack where malicious scripts execute and steal cookies from users.
- Block JavaScript access with HttpOnly attribute
- Validate and escape input data
- Apply Content Security Policy (CSP)
- Regular security updates
Security Best Practices
// Maximum security authentication cookie
Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict; Max-Age=3600
// API token cookie
Set-Cookie: apiToken=xyz789; Secure; HttpOnly; SameSite=Lax; Path=/api
// User preference cookie
Set-Cookie: theme=dark; Secure; SameSite=Lax; Max-Age=31536000| SameSite Value | Cross-Site GET | Cross-Site POST | Use Case |
|---|---|---|---|
| Strict | ❌ Not sent | ❌ Not sent | Maximum security, auth tokens |
| Lax | ✅ Top-level navigation only | ❌ Not sent | Default value, general use |
| None | ✅ Always sent | ✅ Always sent | Third-party integration, embeds |
Cookie Types
1. Session Cookie vs Persistent Cookie
- Session Cookie: Cookie without Expires or Max-Age, deleted when browser closes
- Persistent Cookie: Cookie with expiration time set, persists until specified time
2. First-party vs Third-party Cookie
- First-party Cookie: Set by the domain currently being visited
- Third-party Cookie: Set by a different domain (ads, tracking purposes)
3. Secure Cookie vs HttpOnly Cookie
- Secure Cookie: Only transmitted over HTTPS connections
- HttpOnly Cookie: Cannot be accessed via JavaScript, prevents XSS attacks
Modern Alternatives
1. Web Storage API
Client-side storage provided by browsers for storing data locally.
localStorage
// Store data
localStorage.setItem('userPreference', 'dark-theme');
// Read data
const preference = localStorage.getItem('userPreference');
// Remove data
localStorage.removeItem('userPreference');- Persists after browser closure
- Not automatically sent with HTTP requests
- Only accessible via JavaScript
- Isolated per domain
sessionStorage
// Store temporary data
sessionStorage.setItem('tempData', 'temporary-value');
// Read data
const tempData = sessionStorage.getItem('tempData');
// Automatically deleted when tab closes- Deleted when tab/window closes
- Not automatically sent with HTTP requests
- Independent storage space per tab
2. JWT (JSON Web Token)
A stateless authentication method that includes state information within the token itself.
// JWT token storage (using HttpOnly cookie)
Set-Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...; HttpOnly; Secure; SameSite=Strict
// Or sent via Authorization header
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...- No server state storage required
- Suitable for microservices architecture
- Contains claim-based information
- Controllable token expiration time
JWT Storage Options: Security Analysis
When using JWT for authentication, choosing the right storage method is crucial for security. Let's compare the main options:
1. HttpOnly Cookies (Recommended)
// Server-side: Set JWT in HttpOnly cookie
res.cookie('accessToken', jwtToken, {
httpOnly: true, // Prevents XSS attacks
secure: true, // HTTPS only
sameSite: 'strict', // Prevents CSRF attacks
maxAge: 15 * 60 * 1000 // 15 minutes
});
// Client-side: Cannot access via JavaScript (more secure)
// Token is automatically sent with requests✅ Pros:
- • Protected from XSS attacks (JavaScript cannot access)
- • Automatic transmission with requests
- • CSRF protection with SameSite attribute
- • Server-controlled expiration
⚠️ Cons:
- • Potential CSRF attacks if not properly configured
- • Limited control from client-side
- • Sent with all requests to the domain
2. localStorage (Common but Less Secure)
// Store JWT in localStorage
localStorage.setItem('accessToken', jwtToken);
// Manual token management required
const token = localStorage.getItem('accessToken');
fetch('/api/protected', {
headers: {
'Authorization': Bearer ${token}
}
});✅ Pros:
- • Full client-side control
- • No CSRF vulnerability
- • Flexible token management
- • Works well with SPAs
❌ Cons:
- • Vulnerable to XSS attacks
- • Accessible via JavaScript
- • Manual token refresh handling
- • Persists until manually cleared
3. Memory Storage (Most Secure for Short-lived Tokens)
// Store JWT in memory (JavaScript variable)
let accessToken = null;
// Set token after login
function setAccessToken(token) {
accessToken = token;
}
// Use token for requests
function authenticatedFetch(url, options = {}) {
return fetch(url, {
...options,
headers: {
...options.headers,
'Authorization': Bearer ${accessToken}
}
});
}✅ Pros:
- • Highest security (cleared on page refresh)
- • No XSS persistence
- • No CSRF vulnerability
- • Complete control over token lifecycle
⚠️ Cons:
- • Lost on page refresh
- • Complex state management required
- • Poor user experience for long sessions
Best Practice: Dual Token Strategy
The most secure approach combines multiple strategies:
// 1. Short-lived access token in memory (15 minutes)
let accessToken = null;
// 2. Long-lived refresh token in HttpOnly cookie (7 days)
res.cookie('refreshToken', refreshToken, {
httpOnly: true,
secure: true,
sameSite: 'strict',
maxAge: 7 * 24 * 60 * 60 * 1000 // 7 days
});
// 3. Automatic token refresh
async function refreshAccessToken() {
const response = await fetch('/auth/refresh', {
method: 'POST',
credentials: 'include' // Include HttpOnly cookies
});
const { accessToken: newToken } = await response.json();
accessToken = newToken;
}🔒 Security Benefits:
- • Access token expires quickly (limits XSS damage)
- • Refresh token protected from XSS (HttpOnly)
- • Refresh token protected from CSRF (SameSite)
- • Automatic token rotation
- • Graceful handling of token expiration
Security Recommendation Summary
Implementation Examples
1. JavaScript Cookie Utilities
// Cookie utility functions
function setCookie(name, value, days) {
const expires = new Date();
expires.setTime(expires.getTime() + (days * 24 * 60 * 60 * 1000));
document.cookie = ${name}${value}; expires=${expires.toUTCString()}; path=/; SameSite=Lax;
}2. Spring Boot ResponseCookie Example
// Example of setting secure authentication cookie in Spring Boot
@PostMapping("/login")
public ResponseEntity<Void> login(@RequestBody LoginRequest request) {
// Create JWT token after successful authentication
String jwtToken = jwtService.generateToken(request.getUsername());
// Create secure cookie with JWT token
ResponseCookie cookie = ResponseCookie
.from("auth_token", jwtToken)
.httpOnly(true) // Prevents JavaScript access
.secure(true) // HTTPS only
.sameSite("Strict") // Prevents CSRF attacks
.path("/") // Available for all paths
.maxAge(Duration.ofHours(1)) // 1 hour expiration
.build();
// Return response with cookie
return ResponseEntity
.ok()
.header(HttpHeaders.SET_COOKIE", cookie.toString())
.build();
}
// Example of clearing cookie on logout
@PostMapping("/logout")
public ResponseEntity<Void> logout() {
ResponseCookie cookie = ResponseCookie
.from("auth_token", "")
.httpOnly(true)
.secure(true)
.sameSite("Strict")
.path("/")
.maxAge(Duration.ZERO) // Expire immediately
.build();
return ResponseEntity
.ok()
.header(HttpHeaders.SET_COOKIE", cookie.toString())
.build();
}This example demonstrates how to create and manage secure cookies in a Spring Boot application. The code shows:
- Setting a secure authentication cookie with JWT token
- Implementing proper security attributes (HttpOnly, Secure, SameSite)
- Cookie expiration management
- Proper cookie clearing on logout
Conclusion
HTTP Cookies remain a fundamental technology for web state management, despite the emergence of modern alternatives. Understanding their structure, security attributes, and proper implementation is crucial for building secure web applications.
While newer technologies like Web Storage API and JWT tokens offer different advantages, cookies continue to be the preferred choice for authentication and session management due to their automatic transmission with HTTP requests and robust security features when properly configured.
The key to secure cookie implementation lies in using appropriate attributes like HttpOnly, Secure, and SameSite, combined with proper validation and regular security audits.
Advertisement