Quiz Entry - updated: 2026.07.14
How do you set secure cookie flags for a session ID?
Set HttpOnly, Secure, and SameSite flags on every session cookie.
HTTP response header:
Set-Cookie: SESSIONID=abc123xyz;
HttpOnly;
Secure;
SameSite=Lax;
Path=/;
Max-Age=1800
| Flag | What it does | Prevents |
|---|---|---|
HttpOnly |
JavaScript can't access the cookie | XSS cookie theft (document.cookie) |
Secure |
Cookie only sent over HTTPS | Network sniffing |
SameSite=Lax |
Cookie not sent with cross-origin POST | CSRF attacks |
SameSite=Strict |
Cookie never sent cross-origin | Strongest CSRF protection |
Path=/ |
Cookie sent for all paths | Unintended path restrictions |
Max-Age=1800 |
Cookie expires after 30 minutes | Stale sessions |
Tip: Use SameSite=Lax as default (allows top-level navigations like clicking links). Use Strict for highly sensitive apps where cross-site linking isn't needed.
Go deeper:
HTTP cookie (Wikipedia) — the Secure, HttpOnly and SameSite attributes and the attacks each one blunts.