Stack Overflow
Stack Overflow

Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider

Implementation Hint

For fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions
122
votes
4 answers

Save cookies between two curl requests

I know that using cURL I can see my received cookies / headers by using curl --head www.google.com And I know that I can add headers to my request using curl --cookie "Key=Value" www.google.com I am currently working on testing an issue which…
Matt Clark
  • 27,671
  • 19
  • 68
  • 123
121
votes
6 answers

Where to store the refresh token on the Client?

My SPA application uses the following architecture (source): This assumes that my client application knows about the refresh token, because I need it to request a new access token if no user credentials (e.g. email/password) are present. My…
Robin Wieruch
  • 14,900
  • 10
  • 82
  • 107
117
votes
9 answers

Sending browser cookies during a 302 redirect

Are there any issues with sending back a cookie during a 302 redirect? For example, if I create a return-to-url cookie and redirect the user in the same response will any (modern) browser ignore the cookie?
Abdullah Jibaly
  • 53,220
  • 42
  • 124
  • 197
117
votes
2 answers

Are multiple Cookie headers allowed in an HTTP request?

Usually, a browser groups cookies into a single Cookie header, such as: Cookie: a=1; b=2 Does the standard allow to send these as separate headers, such as: Cookie: a=1 Cookie: b=2 Or do they always have to be on the same line?
BenMorel
  • 34,448
  • 50
  • 182
  • 322
114
votes
8 answers

Firefox session cookies

Generally speaking, when given a cookie that has no expiration period, modern browsers will consider this cookie to be a 'session cookie', they will remove the cookie at the end of the browsing session (generally when the browser instance…
meandmycode
  • 17,067
  • 9
  • 48
  • 42
114
votes
7 answers

How to handle multiple cookies with the same name?

Say for example I had an application sending the following HTTP headers to set to cookie named "a": Set-Cookie: a=1;Path=/;Version=1 Set-Cookie: a=2;Path=/example;Version=1 If I access /example on the server both paths are valid, so I have two…
deamon
  • 89,107
  • 111
  • 320
  • 448
113
votes
7 answers

How to expire session due to inactivity in Django?

Our Django application has the following session management requirements. Sessions expire when the user closes the browser. Sessions expire after a period of inactivity. Detect when a session expires due to inactivity and display appropriate…
Akbar ibrahim
  • 5,110
  • 3
  • 26
  • 23
113
votes
2 answers

How does cookie "Secure" flag work?

I know that a cookie with secure flag won't be sent via an unencrypted connection. I wonder how this works in-depth. Who is responsible for determining whether the cookie will be sent or not?
ted
  • 5,219
  • 7
  • 36
  • 63
112
votes
6 answers

jquery save json data object in cookie

How do I save JSON data in a cookie? My JSON data looks like this $("#ArticlesHolder").data('15', {name:'testname', nr:'4',price:'400'}); $("#ArticlesHolder").data('25', {name:'name2', nr:'1', price:'100'}); $("#ArticlesHolder").data('37',…
Marthin
  • 6,413
  • 15
  • 58
  • 95
107
votes
1 answer

What are cookies and sessions, and how do they relate to each other?

I am trying to understand cookies and sessions professionally. I know that when a browser connects to a server, the server "asks" the browser to "paste" a cookie with "phpsessid" in the client browser cookies folder. Now that we have the…
Blanktext
  • 1,528
  • 3
  • 12
  • 17
105
votes
4 answers

How do sessions work in Express.js with Node.js?

Using Express.js, sessions are dead simple. I'm curious how they actually work though. Does it store some cookie on the client? If so, where can I find that cookie? If required, how do I decode it? I basically want to be able to see if a user is…
foobar
  • 10,854
  • 18
  • 58
  • 66
105
votes
11 answers

How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies?
Scott Warren
  • 1,069
  • 2
  • 9
  • 5
104
votes
10 answers

PHP setcookie "SameSite=Strict"?

I recently read "RFC 6265" on the attribute "Same Site", I looked at some articles that talked about that in April 2016, "same-site" attribute has been implemented for Chrome 51 and Opera 39 ... I wonder if current PHP supports creating cookies with…
Lauro Moraes
  • 1,358
  • 2
  • 14
  • 16
104
votes
1 answer

Why doesn't document.cookie show all the cookie for the site?

I go to a forum which uses vBulletin 3.8. When I log in, I use firebug to see what cookies were set. I see these cookies: __utmb, __utmc, __utma, __utmz, bbsessionhash, vbseo_loggedin, bbpassword, bbuserid, bblastactivity, bblastvisit They all had…
kiennt
  • 1,514
  • 2
  • 14
  • 13
103
votes
12 answers

how to delete all cookies of my website in php

I'm wondering if I can delete all my website's cookies when a user click on logout, because I used this as function to delete cookies but it isn't work properly: setcookie("user",false); Is there a way to delete one domain's cookies in PHP?
Mac Taylor
  • 5,020
  • 14
  • 50
  • 73
1 2 3
99 100