Stack Overflow
Stack Overflow

Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider

Implementation Hint

For fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions
259
votes
8 answers

Does every web request send the browser cookies?

Does every web request send the browser's cookies? I'm not talking page views, but a request for an image, .js file, etc. Update If a web page has 50 elements, that is 50 requests. Why would it send the SAME cookie(s) for each request, doesn't it…
mrblah
  • 99,669
  • 140
  • 310
  • 420
255
votes
15 answers

Set cookies for cross origin requests

How to share cookies cross origin? More specifically, how to use the Set-Cookie header in combination with the header Access-Control-Allow-Origin? Here's an explanation of my situation: I am attempting to set a cookie for an API that is running on…
Pim van der Heijden
  • 6,956
  • 4
  • 16
  • 21
250
votes
7 answers

How do I view cookies in Internet Explorer 11 using Developer Tools

I'm looking for how to view the cookies set using developer tools in IE11. I see an option in network profiling to view cookies being sent back and forth, but this is not really the same thing. It is cumbersome to use since it's per request. Surely…
KingOfHypocrites
  • 9,316
  • 9
  • 47
  • 69
244
votes
6 answers

SameSite warning Chrome 77

Since the last update, I'm having an error with cookies, related with SameSite attribute. The cookies are from third party developers (Fontawesome, jQuery, Google Analytics, Google reCaptcha, Google Fonts, etc.) The errors in the Chrome console are…
peiblox
  • 2,463
  • 2
  • 12
  • 7
240
votes
10 answers

Token Authentication vs. Cookies

What is the difference between token authentication and authentication using cookies? I am trying to implement the Ember Auth Rails Demo but I do not understand the reasons behind using token authentication as described in the Ember Auth FAQ on the…
John
  • 13,125
  • 14
  • 52
  • 73
239
votes
14 answers

Set a cookie to never expire

Looking at the php documentation on setting a cookie I see that I can set an expiration date for the cookie. You can set the cookie to expire at the end of the browser session or at some time in the future but I do not see a way to set the cookie…
brainimus
  • 10,586
  • 12
  • 42
  • 64
236
votes
15 answers

Cookies vs. sessions in PHP

I started using PHP a couple of months ago. For the sake of creating a login system for my website, I read about cookies and sessions and their differences (cookies are stored in the user's browser and sessions on the server). At that time, I…
Nadjib Mami
  • 5,736
  • 9
  • 37
  • 49
231
votes
6 answers

JWT vs cookies for token-based authentication

I read some posts about "JWT vs Cookie" but they only made me more confused... I want some clarification, when people talking about "token-based authentication vs cookies", cookies here merely refer to session cookies? My understanding is that…
watashiSHUN
  • 9,684
  • 4
  • 36
  • 44
227
votes
6 answers

Correct way to delete cookies server-side

For my authentication process I create a unique token when a user logs in and put that into a cookie which is used for authentication. So I would send something like this from the server: Set-Cookie:…
Joshkunz
  • 5,575
  • 6
  • 28
  • 24
226
votes
11 answers

How to set a cookie for another domain

Say I have a website called a.com, and when a specific page of this site is loaded, say page link, I like to set a cookie for another site called b.com, then redirect the user to b.com. I mean, on load of a.com/link I want to set a cookie for b.com…
Rasoul Zabihi
  • 2,575
  • 2
  • 18
  • 10
223
votes
14 answers

Chrome doesn't delete session cookies

I'm trying to set session cookie in javascript like this: document.cookie = 'name=alex; path=/' But Chrome doesn't delete it even if I quit browser and launch it again. I checked in Firefox and Opera and both work as intended - they delete session…
mgs
  • 2,621
  • 2
  • 19
  • 14
221
votes
22 answers

How do I uniquely identify computers visiting my web site?

I need to figure out a way uniquely identify each computer which visits the web site I am creating. Does anybody have any advice on how to achieve this? Because i want the solution to work on all machines and all browsers (within reason) I am trying…
thatisvaliant
  • 2,323
  • 2
  • 14
  • 5
217
votes
4 answers

Create, read, and erase cookies with jQuery

Somebody help me. How to create, read and erase some cookies with jQuery ?
Agus Puryanto
  • 1,355
  • 4
  • 16
  • 15
209
votes
9 answers

How do HttpOnly cookies work with AJAX requests?

JavaScript needs access to cookies if AJAX is used on a site with access restrictions based on cookies. Will HttpOnly cookies work on an AJAX site? Edit: Microsoft created a way to prevent XSS attacks by disallowing JavaScript access to cookies if…
Shawn
  • 19,465
  • 20
  • 98
  • 152
202
votes
8 answers

Delete cookie by name?

How can I delete a specific cookie with the name roundcube_sessauth? Shouldn't the following: function del_cookie(name) { document.cookie = 'roundcube_sessauth' + '=; expires=Thu, 01-Jan-70 00:00:01 GMT;'; } And then:
Charlie
  • 11,380
  • 19
  • 83
  • 138
1 2
3
99 100