Title here
Summary here
Cookie
Cookies
Cookies are small pieces of data stored on a user’s device by a web browser, used to remember information about the user, such as login details, preferences, browsing activity…
Cookies Attributes
HttpOnly
The HttpOnly attribute for cookies ensures they cannot be accessed or manipulated by client-side scripts, offering protection against threats like XSS attacks.
Secure
The Secure attribute ensures cookies are sent only over HTTPS, preventing potential interception or tampering during transmission.
HostOnly
The HostOnly attribute for cookies ensures they are accessible only to the domain that set them, excluding its subdomains.
Domain
The Domain attribute specifies which hosts can receive the cookie. If a cookie from example.com sets its Domain attribute to .example.com (notice the leading dot), the cookie will be accessible to both example.com and its subdomains, like sub.example.com.
SameSite
The SameSite attribute controls when cookies are sent to the server based on the origin of the request, which helps to reduce certain types of cross-site request vulnerabilities.
- Strict: Only be sent in a request if it’s made from the same site as the cookie’s origin.
- Lax: The cookie will be sent in a top-level navigation request (e.g., following a link) but not in requests initiated by third-party websites.
- None: This explicitly states that the cookie is intended to be accessed across sites.
More at MDN - SameSite and Article - SameSite confusion.
Cookies scope on different ports
This three domains will share the same cookies even if SameSite is Strict:
- http://example.com
- http://example.com:5555
- https://example.com
Cookie Ordering
- Arranged alphabetically based on their names
- Sorted by their paths in alphabetical sequence (root path
/is first)
Cookie Jar Overflow - Overwriting HttpOnly cookies
for (let i = 0; i < 700; i++) {
document.cookie = `cookie${i}=${i}`;
}
document.cookie = "<httpOnlyCookie>=overwritten by JavaScript";Set-cookie from Javascript
Chrome
| Origin domain | Working | Blocked |
|---|---|---|
| example.com | example.com | |
| .example.com | ||
| sub.example.com | ||
| sub.example.com | example.com | |
| .example.com | ||
| sub.example.com | ||
| sub2.example.com |
Firefox
| Origin domain | Working | Blocked |
|---|---|---|
| example.com | example.com | sub.example.com |
| .example.com | ||
| sub.example.com | example.com | sub2.example.com |
| .example.com | ||
| sub.example.com |
Lax bypass
window.open("https://example.com") // Lax cookies are send
<iframe src="..."></iframe> // Lax cookies are NOT send