Http Cookie

What Is Http Cookie?

An HTTP cookie is a small piece of state data that a web server instructs a client's browser to store locally and return with subsequent requests to the same server. Because the HTTP protocol itself is stateless, cookies provide the primary mechanism by which web applications maintain continuity across multiple requests. A server sends a cookie to the browser via the Set-Cookie response header; the browser stores it and includes it in the Cookie request header on future requests matching the cookie's domain and path scope. The current formal definition appears in RFC 6265, the IETF HTTP State Management Mechanism standard.

Cookies were introduced by Netscape Communications in 1994 as a practical solution to the statelessness problem in early web commerce. The first IETF standardization attempt, RFC 2109, appeared in 1997 and was superseded by RFC 2965 in 2000, which was itself replaced by RFC 6265 in 2011. An actively developed successor draft, rfc6265bis, extends the standard with additional security attributes introduced by major browser vendors.

A cookie consists of a name-value pair and a collection of optional attributes that control its scope and lifetime. The Domain attribute specifies which hostnames may receive the cookie; the Path attribute restricts it to a subtree of the server's URL space. The Expires or Max-Age attribute determines whether the cookie persists after the browser session ends: a session cookie with no expiry is deleted when the browser closes, while a persistent cookie remains until its explicit expiration date.

Security-relevant attributes include Secure, which restricts transmission to HTTPS connections, and HttpOnly, which prevents client-side JavaScript from reading the cookie value and reduces the impact of cross-site scripting attacks. The SameSite attribute, added informally by browser implementors and later codified in the rfc6265bis draft specification, controls whether the browser sends the cookie with cross-site requests, providing a direct defense against cross-site request forgery (CSRF).

Session Management and Authentication

Cookies are the standard carrier for session identifiers in web applications. On successful login, the server generates a unique, cryptographically random session token, stores it server-side against the user's authenticated state, and delivers it to the browser as a cookie. All subsequent requests automatically include the token, allowing the server to identify the session without requiring the user to re-authenticate on each page.

The security of this pattern depends on several properties: the token must be unguessable (sufficient entropy), must be transmitted only over TLS (Secure flag), and must be protected from JavaScript access where possible (HttpOnly flag). Session fixation attacks arise when applications allow an attacker-chosen token to be elevated to an authenticated session, and session hijacking occurs when the token is intercepted in transit or exfiltrated via XSS. RFC 6265 notes that cookies encourage developers to rely on ambient authority and that transport-layer encryption alone is insufficient because the cookie protocol itself has additional attack surfaces.

Privacy, Security, and Regulatory Considerations

Third-party cookies, set by domains other than the page origin and used primarily for cross-site tracking, became the focus of significant regulatory and browser policy changes in the 2010s and 2020s. The EU ePrivacy Directive and the General Data Protection Regulation (GDPR) require informed consent before non-essential cookies are stored. Major browsers began phasing out third-party cookies in response to privacy concerns, with WHATWG and browser vendor documentation reflecting the incremental tightening of default cookie policies through SameSite enforcement and partitioned storage proposals.

Applications

HTTP cookies have applications in a range of fields, including:

  • Web application session management and user authentication
  • Personalization of content, language settings, and user preferences
  • Shopping cart persistence in e-commerce platforms
  • Analytics and behavioral tracking across page visits
  • Single sign-on (SSO) flows using shared session tokens across subdomains
Loading…