Questions tagged [cookies]

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and from server-side through HTTP headers.

An HTTP cookie is a piece of data stored by the user's web browser. Unless otherwise specified, cookies can be created, read, modified and deleted both by JavaScript and by server-side through HTTP headers.

Cookies can be used to remember the state of the session, such as authentication, state of GUI controls and personalization through user preferences. They can also be inappropriately used to track the browsing history and to transfer malware.

A server sets a cookie using Set-Cookie HTTP header:

 Set-Cookie: someName=someValue; Expires=Fri, 18-Jan-2013 10:13:13 GMT
 Set-Cookie: someOther=someOtherValue

It is possible to set cookies also on image and similar content that makes them a powerful tracking tool. When cookie is set, it is reported back by the browser:

 Cookie: someName=someValue; someOtherName=someOtherValue

For more security, cookies can be restricted to some domain and path:

 Set-Cookie: name=value; domain=www.foo.com; Path=/hereonly

They can also have additional secure (HTTPS only but accessible through JavaScript) and httponly (HTTP or HTTPS but not accessible through JavaScript) attributes:

 Set-Cookie: goldlocation=somewhere; Domain=.morgan.com; secure; httponly

In this example the cookie is accessible for all subdomains of morgan.com but only through HTTPS and not accessible from JavaScript.

Cookie access control is based on domain, (optionally) path and (optionally) URL scheme (http: vs. https:). The rules governing cookies are not the same as the access control rules of the DOM in JavaScript which are based on the same domain policy, but because cookie access is mostly based on domain name, they are sometimes confused with the usual HTTP same domain policy.

The behaviour of HTTP cookies in real life browsers is not described in any RFC (thus quoting a RFC to describe cookies is almost always wrong). The various RFC are of historical interest.

Browsers are recommended to allow at least 20 cookies per domain and 4KB per cookie. If you are looking for an alternative to cookies that aren't sent in HTTP headers and can store more data, consider local-storage

Implementation Hint

For jquery fans, there is a simple plugin make it easy to deal with cookies (write, read and delete) could be found here.

Questions:

34843 questions

1446

votes

9 answers

Local Storage vs Cookies

I want to reduce load times on my websites by moving all cookies into local storage since they seem to have the same functionality. Are there any pros/cons (especially performance-wise) in using local storage to replace cookie functionality except…

html cookies browser local-storage httprequest

asked Jul 10 '10 at 20:02

Gio Borje

20,314
7
36
50

1344

votes

18 answers

How do I set/unset a cookie with jQuery?

How do I set and unset a cookie using jQuery, for example create a cookie named test and set the value to 1?

javascript jquery dom cookies

asked Sep 22 '09 at 08:09

omg

136,412
142
288
348

1167

votes

17 answers

How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

php session cookies

asked Feb 06 '09 at 13:14

Tom

33,626
31
85
109

768

votes

11 answers

What is the difference between localStorage, sessionStorage, session and cookies?

What are the technical pros and cons of localStorage, sessionStorage, session and cookies, and when would I use one over the other?

html cookies local-storage session-storage

asked Nov 08 '13 at 20:02

Pank

13,800
10
32
45

735

votes

4 answers

Set cookie and get cookie with JavaScript

I'm trying to set a cookie depending on which CSS file I choose in my HTML. I have a form with a list of options, and different CSS files as values. When I choose a file, it should be saved to a cookie for about a week. The next time you open your…

javascript html css cookies

asked Jan 28 '13 at 23:34

DrWooolie

7,637
7
20
19

704

votes

7 answers

Share cookies between subdomain and domain

I have two questions. I understand that if I specify the domain as .example.com (with the leading dot) in the cookie that all subdomains can share a cookie. Can subdomain.example.com access a cookie created in example.com (without the www…

http cookies subdomain

asked Aug 28 '13 at 15:46

adam0101

29,096
21
96
174

557

votes

9 answers

Do sessions really violate RESTfulness?

Is using sessions in a RESTful API really violating RESTfulness? I have seen many opinions going either direction, but I'm not convinced that sessions are RESTless. From my point of view: authentication is not prohibited for RESTfulness (otherwise…

session rest cookies restful-authentication

asked May 20 '11 at 06:13

deceze

510,633
85
743
889

555

votes

48 answers

Get cookie by name

I have a getter to get the value from a cookie. Now I have 2 cookies by the name shares= and by the name obligations= . I want to make this getter only to get the values from the obligations cookie. How do I do this? So the for splits the data…

javascript cookies

asked May 24 '12 at 02:29

user1395001

548

votes

4 answers

What is the best way to implement "remember me" for a website?

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to implement this, but what should be contained in that cookie? …

security cookies remember-me

asked Oct 28 '08 at 21:09

Eddie Deyo

5,200
8
35
35

483

votes

8 answers

Are HTTP cookies port specific?

I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.

security http cookies

asked Oct 23 '09 at 08:53

guerda

23,388
27
97
146

466

votes

9 answers

How do browser cookie domains work?

Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences. In other words - when a browser receives a cookie, that…

http cookies path dns rules

asked Jun 30 '09 at 10:35

Vilx-

104,512
87
279
422

459

votes

13 answers

How to delete a cookie?

Is my function of creating a cookie correct? How do I delete the cookie at the beginning of my program? is there a simple coding? function createCookie(name,value,days) function setCookie(c_name,value,1) { document.cookie = c_name + "="…

javascript cookies

asked Jan 27 '10 at 03:27

kennedy

4,601
2
16
6

423

votes

4 answers

Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention Cheat Sheet, Questions about CSRF) As I understand it, the vulnerability around CSRF is…

http security cookies csrf owasp

asked Dec 10 '13 at 20:45

metamatt

13,809
7
46
56

419

votes

27 answers

Clearing all cookies with JavaScript

How do you delete all the cookies for the current domain using JavaScript?

javascript cookies

asked Oct 07 '08 at 16:41

polarbear

12,425
6
29
22

399

votes

22 answers

Cookie blocked/not saved in IFRAME in Internet Explorer

I have two websites, let's say they're example.com and anotherexample.net. On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to…

internet-explorer cookies privacy p3p

asked Dec 23 '08 at 17:08

Piskvor left the building

91,498
46
177
222

2 3

…

99 100 Next