Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider local-storage

Implementation Hint

For jquery fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions

379

votes

12 answers

Why is jQuery's .ajax() method not sending my session cookie?

After logging in via $.ajax() to a site, I am trying to send a second $.ajax() request to that site - but when I check the headers sent using FireBug, there is no session cookie being included in the request. What am I doing wrong?

jquery ajax session cookies

asked May 20 '10 at 00:44

user345625

3,911
3
16
6

354

votes

13 answers

What are allowed characters in cookies?

What are the allowed characters in both cookie name and value? Are they same as URL or some common subset? Reason I'm asking is that I've recently hit some strange behavior with cookies that have - in their name and I'm just wondering if it's…

asked Dec 28 '09 at 12:21

Esko

29,022
11
55
82

345

votes

17 answers

Cross-Domain Cookies

I have two webapps WebApp1 and WebApp2 in two different domains. I am setting a cookie in WebApp1 in the HttpResponse. How to read the same cookie from HttpRequest in WebApp2? I know it sounds weird because cookies are specific to a given domain,…

cookies web-applications cross-domain

asked Jul 27 '10 at 09:10

SundarJavaDeveloper

3,531
3
17
11

342

votes

5 answers

What is the maximum size of a web browser's cookie's key?

What is the maximum size of a web browser's cookie's key? I know the maximum size of a cookie is 4KB, but does the key have a limitation as well?

browser cookies

asked Mar 12 '09 at 23:53

user77480

3,421
2
17
3

338

votes

22 answers

How do I create and read a value from cookie with javascript?

How can I create and read a value from a cookie in JavaScript?

javascript cookies

asked Jan 28 '11 at 06:58

Venkatesh Appala

4,320
2
20
13

336

votes

25 answers

Remove a cookie

When I want to remove a Cookie I try unset($_COOKIE['hello']); I see in my cookie browser from firefox that the cookie still exists. How can I really remove the cookie?

php cookies

asked Mar 26 '09 at 14:59

sanders

10,794
27
85
127

334

votes

10 answers

Fetch API with Cookie

I am trying out the new Fetch API but is having trouble with Cookies. Specifically, after a successful login, there is a Cookie header in future requests, but Fetch seems to ignore that headers, and all my requests made with Fetch is…

cookies fetch-api

asked Jan 01 '16 at 17:21

Khanetor

11,595
8
40
76

326

votes

7 answers

Where to store JWT in browser? How to protect against CSRF?

I know cookie-based authentication. SSL and HttpOnly flags can be applied to protect cookie-based authentication from MITM and XSS. However, more special measures will be needed to apply in order to protect it from CSRF. They are just a bit…

security authentication cookies csrf jwt

asked Nov 21 '14 at 17:44

Timespace

5,101
7
23
32

310

votes

4 answers

How are cookies passed in the HTTP protocol?

http cookies

asked Aug 12 '10 at 11:27

jai

21,519
31
89
120

305

votes

19 answers

Make Axios send cookies in its requests automatically

I am sending requests from the client to my Express.js server using Axios. I set a cookie on the client and I want to read that cookie from all Axios requests without adding them manually to request by hand. This is my clientside request…

javascript node.js express cookies axios

asked Mar 24 '17 at 14:44

Kunok

8,089
8
48
89

299

votes

3 answers

How does cookie-based authentication work?

What would be a step-by-step description of how cookie-based authentication work? I've never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what order? How do we keep…

authentication cookies browser

asked Jul 21 '13 at 04:21

Mastid

3,169
3
13
8

296

votes

4 answers

Can an AJAX response set a cookie?

Can an AJAX response set a cookie? If not, what is my alternative solution? Should I set it with Javascript or something similar?

ajax cookies

asked Jul 27 '10 at 04:43

Billworth Vandory

5,003
5
29
34

279

votes

25 answers

Cookies on localhost with explicit domain

I must be missing some basic thing about cookies. On localhost, when I set a cookie on server side and specify the domain explicitly as localhost (or .localhost). the cookie does not seem to be accepted by some browsers. Firefox 3.5: I checked the…

cookies setcookie

asked Jul 15 '09 at 21:47

Jan Zich

14,993
18
61
73

264

votes

9 answers

How can I set cookie in node js using express framework?

In my application, I need to set a cookie using the express framework. I have tried the following code but it's not setting the cookie. var express = require('express'), http = require('http'); var app = express(); app.configure(function(){ …

node.js cookies express

asked Apr 25 '13 at 07:48

sachin

13,605
14
42
55

259

votes

20 answers

What is the shortest function for reading a cookie by name in JavaScript?

What is the shortest, accurate, and cross-browser compatible method for reading a cookie in JavaScript? Very often, while building stand-alone scripts (where I can't have any outside dependencies), I find myself adding a function for reading…

javascript cookies

asked Apr 12 '11 at 17:38

Yahel

37,023
22
103
153

Prev 1

…

99 100 Next