Cookie Security

Cookies are set using Set-Cookie HTTP Response headers in format as shown below.

Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>; Domain=<domain-value>; Secure; HttpOnly; SameSite=<samesite-value>;

Domain - Defines to which domain the cookie needs to bet set(Browser discards setting of cookies cross origin), If domain is set, The set domain & subdomains have access to the cookies. If no domain is set, only cuurent domain has access to the cookie by default.

Expires - Denotes when the cookies should be expired & deleted from browser.

Secure - If set, These cookies can only be transmitted in secure HTTPS connection.

HttpOnly - If set, prevents cookies from being accessed through javascript API's like document.cookie. (Prevents cookie stealing & session impersonation attacks through XSS)

SameSite - Can have 3 possible values None, Lax, Strict

• None - Cookies can be sent in cross site requests through forms, AJAX Requests, Embedding the page in frames etc

• Lax - Cookies can be sent in a cross origin request only through Top level navigations like redirects, window.open() and other related javascript API's using simple GET Request. Cookies are not sent through Forms, AJAX Requests & Frames if cross origin. This is default option for most of the modern browsers from 2021. [Prevents most of the CSRF attacks except GET based CSRF attacks]

• Strict - Doesn't send cookies in any cross origin requests. Cookies are not sent in Forms, AJAX Requests, Frames or any type of navigations for a cross origin request providing highest security against CSRF attack.

For all possible cookie directives & flags, refer MDN.