Which cookie attributes matter most for authentication cookies?
Usually Secure, HttpOnly, and SameSite. They control whether the cookie stays on HTTPS, whether JavaScript can read it, and whether the browser will send it in cross-site situations.
Reference
Cookie Attributes
Start here when a cookie behaves differently than you expected across environments, subdomains, or cross-site requests.
Domain
Learn how the Domain cookie attribute controls which domains can access cookies. Understand subdomain sharing, security implications, and restrictions.
Expires
Learn how the Expires cookie attribute sets an absolute expiration date. Understand date formats, timezone handling, and when to use Expires vs Max-Age.
HttpOnly Cookie Attribute: XSS Protection
Learn how the HttpOnly cookie attribute protects against XSS attacks by preventing JavaScript access to sensitive cookies.
Max-Age
Learn how the Max-Age cookie attribute sets expiration in seconds from now. Understand why Max-Age is preferred over Expires for reliable lifetime control.
Path
Learn how the Path cookie attribute restricts which URL paths can receive cookies. Understand path matching rules and how to scope cookies to specific routes.
SameSite Cookie Attribute: CSRF Protection
Learn how the SameSite cookie attribute prevents CSRF attacks, the differences between Strict, Lax, and None, and when to use each.
Secure
Learn how the Secure cookie attribute ensures cookies are only sent over HTTPS connections. Protect sensitive data from man-in-the-middle attacks.
What Cookie Attributes Control
Most cookie bugs are not about the cookie value itself. They come from the rules that decide whether the browser stores the cookie, sends it back later, or refuses to include it in a cross-site flow.
- Transport
- Secure keeps the cookie on HTTPS. If login works locally but breaks after a redirect or proxy hop, start here.
- Script access
- HttpOnly keeps client-side JavaScript from reading the cookie directly. That matters most for session and refresh cookies.
- Cross-site behavior
- SameSite decides when the browser sends the cookie on cross-site navigations, embeds, and form submissions.
- Scope and lifetime
- Domain, Path, Expires, and Max-Age decide where the cookie applies and how long it sticks around.
Developers Usually Land Here When
Use this hub when the browser is doing something annoying but technically correct.
- A cookie shows up in DevTools but is missing on the next request.
- Auth works on one subdomain or environment but not another.
- A login, embedded flow, or CSRF fix changed how cookies travel across sites.
Common Cookie Debug Questions
Should I use Expires or Max-Age?
Prefer Max-Age when you can because it is relative and easier to reason about. Expires is still common, but absolute dates are easier to misread and harder to test.
Why does the browser show Set-Cookie but not send the cookie back?
Usually one of three reasons: the cookie was scoped to the wrong domain or path, the browser rejected it because of SameSite or Secure rules, or it expired sooner than you expected.