Cookies serve as a transport mechanism in HTTP. Servers can tell a client to store cookies (key-value pairs) on the browser by specifying it in an HTTP response. Then from that point onward, the browser will automatically include the cookie in request headers, as long as the cookies have not expired.

Cookies are often used for storing authentication tokens (client sends request to log in server sends auth token back as a cookie), among other client-side settings (e.g. site appearance, last used option, etc).

To prevent cookies from abuse, server can add some parameters when setting a cookie to tell browser when it’s okay to send the cookie or allow access to cookies.

  • HttpOnly: prevents scripts from reading the cookies
  • SameSite: SameSite=strict prevents cookie from being used by another site to perform cross-origin request, so even if a CORS policy allow thirdparty.com to perform requests to firstparty.com, thirdparty.com can’t use user’s SameSite cookies from firstparty.com. This is an effective way to prevent CSRF attacks.
  • Secure: prevents cookies from cleartext transport (HTTP), i.e. transporting this cookie requires HTTPS