LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you set secure cookie flags for a session ID?

Set HttpOnly, Secure, and SameSite flags on every session cookie.

HTTP response header:

Set-Cookie: SESSIONID=abc123xyz;
  HttpOnly;
  Secure;
  SameSite=Lax;
  Path=/;
  Max-Age=1800
Flag What it does Prevents
HttpOnly JavaScript can't access the cookie XSS cookie theft (document.cookie)
Secure Cookie only sent over HTTPS Network sniffing
SameSite=Lax Cookie not sent with cross-origin POST CSRF attacks
SameSite=Strict Cookie never sent cross-origin Strongest CSRF protection
Path=/ Cookie sent for all paths Unintended path restrictions
Max-Age=1800 Cookie expires after 30 minutes Stale sessions

Tip: Use SameSite=Lax as default (allows top-level navigations like clicking links). Use Strict for highly sensitive apps where cross-site linking isn't needed.

Go deeper:

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026