Cookies 😇
HttpOnly, Secure, SameSite and their security implications
HTTP is a stateless protocol. The web servers handle each HTTP request independently. This is especially a problem for identification. The webserver needs to know to whom it is talking. For that reason, we allow the client side (the browser) to store information that it can send along with every single request.
Cookies are the oldest form of client-side data storage. They are commonly used for session management — knowing who the user is after the user logged in.
Cookies can be created via HTTP Set-Cookie header or via JavaScript (the document.cookie API). Cookies have a lifetime which is either the browser session or set via the Expiresattribute. Cookies have additional attributes that influence how the browser deals with them. This article is mainly about those attributes.
The HttpOnly Attribute
Cookies with the HttpOnly attribute are only accessible via HTTP(S). They are not accessible via JavaScript.
This helps to reduce the potential damage an XSS vulnerability can cause.
The Secure Attribute
Cookies with the Secure attribute are only sent over an encrypted connection (HTTPS).
