HTTP

Glossary Term

HTTP Cookie

Learn what HTTP cookies are and how browsers store small data pieces for websites. Understand cookie attributes, security, and session management.

2 min read beginner
#glossary #http-basics

TL;DR: Cookies are how a browser remembers small pieces of state for a site between requests. They are simple in concept, but a lot of authentication and security behavior depends on them.

An HTTP cookie is a small name-value pair that a server asks the browser to store and send back later. Cookies are one of the main ways the web adds continuity to a protocol that is otherwise stateless.

Why Cookies Exist

Without cookies, every request would look like it came from a stranger. A site would not easily remember:

  • whether you are signed in
  • what is in your shopping cart
  • which language or theme you prefer
  • whether you already dismissed a notice or completed a step

That is why cookies show up in everything from login flows to basic preferences.

How Cookies Move Through HTTP

The server sets a cookie in the response:

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Lax

The browser stores it and later sends it back on matching requests:

Cookie: sessionId=abc123

That round trip is what makes sessions and browser state work.

The Attributes Matter More Than People Expect

Most cookie bugs are not about the cookie value. They are about the attributes:

  • Secure: only send it over HTTPS
  • HttpOnly: do not expose it to JavaScript
  • SameSite: control cross-site sending behavior
  • Domain: decide which hosts can receive it
  • Path: limit it to part of the site
  • Expires or Max-Age: decide how long it lasts

When a cookie “exists” in DevTools but still does not behave correctly, one of those attributes is usually the reason.

A Helpful Mental Model

Think of a cookie as two things at once:

  • stored browser state
  • an instruction set about when that state is allowed to travel

The second part is why cookies are powerful and why they are easy to misconfigure.

Security Is Not Optional Here

Authentication cookies deserve extra care because browsers attach them automatically. If you do not set attributes intentionally, you can create avoidable XSS, CSRF, or session leakage problems.

For session cookies, a strong default is usually:

  • Secure
  • HttpOnly
  • a deliberate SameSite choice

Related: SessionHeaderResponse

Frequently Asked Questions

What is an HTTP cookie?

A cookie is a small piece of data stored by the browser for a site. Servers create cookies with Set-Cookie, and browsers send matching cookies back on later requests.

What are cookies used for?

Cookies are used for sessions, preferences, and sometimes tracking. They let a site remember state across otherwise independent HTTP requests.

Are cookies secure?

They can be, but only if you configure them carefully. Sensitive cookies should usually use Secure, HttpOnly, and an intentional SameSite setting.

How long do cookies last?

Session cookies usually disappear when the browser session ends. Persistent cookies stay until their Expires or Max-Age limit, unless the browser or user deletes them sooner.

Keep Learning

Hub

Glossary

Browse the full index for this topic.