LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is an HTTP cookie, and what are its main attributes?

A small text record (name=value plus metadata) the server stores in the browser via Set-Cookie: — the browser automatically sends it back on every matching request.

It's the most common way to carry session state (the "ticket" pattern from stateless HTTP).

Key attributes:

Attribute What it does Why it matters
Expires / Max-Age When to delete the cookie. Absent = "session cookie", gone when browser closes Persistent cookies survive restarts → bigger theft window
Secure Only send over HTTPS Without it, the cookie leaks on the first HTTP request on coffee-shop Wi-Fi
HttpOnly Not accessible to JavaScript (document.cookie) Cripples cookie theft via XSS
SameSite=Lax|Strict Don't send on cross-site requests (or only for top-level navigations) Defeats most CSRF; should be default
Domain / Path Which URLs the cookie is sent to Tighter scope = smaller blast radius

Properties cookies inherit:

  • They are managed by the browser, sent automatically — the application code doesn't choose when to attach them.
  • The user (and any browser-resident JS, without HttpOnly) can see and edit them.

Tip: A modern session cookie should be Set-Cookie: sid=…; HttpOnly; Secure; SameSite=Lax; Path=/. Anything less is leaving a known door unlocked.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026