Quiz Entry - updated: 2026.07.14
What is an HTTP cookie, and what are its main attributes?
A small text record (name=value plus metadata) the server stores in the browser via Set-Cookie: — the browser automatically sends it back on every matching request.
It's the most common way to carry session state (the "ticket" pattern from stateless HTTP).
Key attributes:
| Attribute | What it does | Why it matters |
|---|---|---|
Expires / Max-Age |
When to delete the cookie. Absent = "session cookie", gone when browser closes | Persistent cookies survive restarts → bigger theft window |
Secure |
Only send over HTTPS | Without it, the cookie leaks on the first HTTP request on coffee-shop Wi-Fi |
HttpOnly |
Not accessible to JavaScript (document.cookie) |
Cripples cookie theft via XSS |
SameSite=Lax|Strict |
Don't send on cross-site requests (or only for top-level navigations) | Defeats most CSRF; should be default |
Domain / Path |
Which URLs the cookie is sent to | Tighter scope = smaller blast radius |
Properties cookies inherit:
- They are managed by the browser, sent automatically — the application code doesn't choose when to attach them.
- The user (and any browser-resident JS, without
HttpOnly) can see and edit them.
Tip: A modern session cookie should be Set-Cookie: sid=…; HttpOnly; Secure; SameSite=Lax; Path=/. Anything less is leaving a known door unlocked.