Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider local-storage

Implementation Hint

For jquery fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions

146

votes

1 answer

Set a cookie to HttpOnly via Javascript

I have a cookie that is NOT HttpOnly Can I set this cookie to HttpOnly via JavaScript?

javascript http cookies

asked Feb 04 '13 at 17:04

user887983

143

votes

8 answers

how to get the cookies from a php curl into a variable

So some guy at some other company thought it would be awesome if instead of using soap or xml-rpc or rest or any other reasonable communication protocol he just embedded all of his response as cookies in the header. I need to pull these cookies out…

php cookies curl

asked May 21 '09 at 23:31

thirsty93

2,602
6
26
26

142

votes

1 answer

How do Third-Party "tracking cookies" work?

I have read this question here: How Do Internet Advertisers Use Third-Party Cookies? on how third-party tracking cookies work, but am still very confused. I don't understand how if I visit Website A (a normal website with ads) how Website B (an…

asked Dec 16 '12 at 00:27

JosephG

3,111
6
33
56

140

votes

5 answers

Naming cookies - best practices

What should cookie names look like? Should they be: lower_case CamelCase Underscore_Camel_Case UPPER_CASE Or should they be something else?

php cookies naming-conventions

asked Jan 19 '10 at 22:55

Emanuil Rusev

34,563
55
137
201

138

votes

4 answers

What does the dot prefix in the cookie domain mean?

What is the difference between local.test.com and .local.test.com ? The screenshot is from Chrome.

asked Mar 08 '12 at 13:13

ripper234

222,824
274
634
905

135

votes

22 answers

How do I check if a cookie exists?

What's a good way to check if a cookie exist? Conditions: Cookie exists if cookie1=;cookie1=345534; //or cookie1=345534;cookie1=; //or cookie1=345534; Cookie doesn't exist if cookie=; //or

javascript html cookies

asked May 11 '11 at 17:28

confuzzled

1,353
2
9
4

135

votes

14 answers

What is the best way to prevent session hijacking?

Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man in the middle attacks will be…

security session cookies

asked Aug 22 '08 at 17:02

Adam

28,537
15
60
73

133

votes

11 answers

How can I set a cookie in react?

Orginally, I use the following ajax to set cookie. function setCookieAjax(){ $.ajax({ url: `${Web_Servlet}/setCookie`, contentType: 'application/x-www-form-urlencoded;charset=utf-8', headers: { 'Access-Control-Allow-Origin': '*', …

reactjs cookies

asked Oct 03 '16 at 08:03

OPfan

1,625
2
13
18

128

votes

9 answers

I need to get all the cookies from the browser

I need to get all the cookies stored in my browser using JavaScript. How can it be done?

javascript cookies

asked Oct 31 '08 at 05:22

nayagi

127

votes

4 answers

Creating a JavaScript cookie on a domain and reading it across sub domains

Below is a JavaScript cookie that is written on the user's computer for 12 months. After we set the cookie on our main domain such as example.com, should the user visit a subdomain like test.example.com, we need to continue to identify the activity…

javascript cookies

asked Apr 15 '11 at 01:14

Evan

3,411
7
36
53

127

votes

5 answers

When does a cookie with expiration time 'At end of session' expire?

There is a session cookie with expiration time which says 'At end of session'. When exactly does it expire or will it be alive forever?

asked Nov 09 '10 at 09:23

Shakti Singh

84,385
21
134
153

126

votes

8 answers

Sending cookies with postman

I read the manual of sending request with cookie with postman: As the packaged app runs in a sandbox separately from the browser, it can not access cookies set inside the browser. This restriction can also be overcome using the Interceptor…

cookies postman

asked Jun 17 '15 at 11:34

MIDE11

3,140
7
31
53

125

votes

4 answers

How do I make an http request using cookies on Android?

I'd like to make an http request to a remote server while properly handling cookies (eg. storing cookies sent by the server, and sending those cookies when I make subsequent requests). It'd be nice to preserve any and all cookies, but really the…

java android http url cookies

asked Mar 24 '09 at 18:31

emmby

99,783
65
191
249

123

votes

4 answers

How can I use cookies in Python Requests?

I am trying to log in to a page and access another link in the page. I get a "405 Not Allowed" error from this attempt: payload={'username'=,'password'=} with session() as s: r = c.post(, data=payload) print(r) …

python cookies python-requests

asked Jul 22 '15 at 05:45

user1474157

1,379
2
11
13

123

votes

3 answers

How to expire a cookie in 30 minutes using jQuery?

How to Expire a Cookie in 30 min ? I am using a jQuery cookie. I am able to do something like this. $.cookie("example", "foo", { expires: 1 }); This is for 1 day. But how can we set expiry time to 30 min.

javascript jquery cookies

asked Dec 02 '09 at 02:12

bluwater2001

7,829
5
24
21

Prev 1 2 3

…

99 100 Next