HTTP Cookie

TL;DR: A small piece of data stored by your browser for a website to remember information between visits. Essential for login sessions, preferences, and tracking.

An HTTP cookie is a small piece of data that a website stores in your browser. Think of it like a hand stamp at an event - it helps the website remember you when you come back.

How Cookies Work

Cookies are created when a server sends a Set-Cookie header in its response:

Set-Cookie: sessionId=abc123; Expires=Wed, 21 Oct 2025 07:28:00 GMT
```text

Your browser automatically includes these cookies in future requests to that same website:

```http
Cookie: sessionId=abc123

Cookie Attributes

• Expires/Max-Age: When the cookie should be deleted
• Domain: Which websites can access the cookie
• Path: Which URL paths can access the cookie
• Secure: Only send over HTTPS connections
• HttpOnly: Prevent JavaScript from accessing the cookie
• SameSite: Control cross-site request behavior

Common Uses

Session Management: Keep you logged in across page visits

Set-Cookie: sessionId=xyz789; HttpOnly; Secure
```text

**User Preferences**: Remember your settings

```http
Set-Cookie: theme=dark; Max-Age=31536000

Tracking: Analytics and advertising (often third-party)

Set-Cookie: trackingId=abc123; Domain=.analytics.com

Without cookies, websites would treat every visit like you’re a completely new visitor. You’d have to log in for every page and lose your shopping cart between clicks.

Security Considerations

Always use Secure and HttpOnly flags for sensitive cookies. The SameSite attribute helps prevent CSRF attacks by controlling when cookies are sent with cross-site requests.

Related: Session • Header • Response