Rowan Merewood explained, in light of the new cookie policies being increasingly adopted, how to create and configure cookies according to the scope and security required by the situation. Merewood also showcased the options available to developers to trace and debug cookies sent in requests.

Merewood started with recommending the following default cookie configuration as a starting point that can be fine-tuned according to the required behavior:

Set-Cookie:
  __Host-cookiename=cookievalue;
  Secure;
  Path=/;
  HttpOnly;
  SameSite=Lax

The Secure and Path attributes are enabled by the __Host prefix. The Secure attribute is meant to keep cookie communication limited to encrypted transmission, ensuring that browsers use cookies only via secure/encrypted HTTPS connections. As the new cookie attributes get progressively deployed, Merewood recommended that those who have not migrated yet to HTTPS do so.

The cookie path configuration (Path=\ ) means that the cookie is sent for all requests to the current document origin (e.g., example.com) — not including the subdomains for that origin (e.g., images.example.com).

The HttpOnly attribute ensures that cookies will only be sent in request headers, and will not be accessible via client-side scripting (e.g. JavaScript) and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).

#chrome #microsoft edge #web development #http #firefox #web #development #news