Cookies
Access a cookie client side
Cookie that's not HttpOnly can be accessed client side using document.cookie
HttpOnly Cookie
HttpOnly cookie cannot be accessed by client Javascript. Therefore hacker cannot read this cookie value and send to his server. Hacker doesn't even know if the cookie exists.
Normally we also set Domain. If the Domain is missing, browser will set it to be the same as HTTP connection's host name.
- Setting the domain will make the cookie only available to that domain.
SameSite
To controls whether or not the cookie is sent for cross-site requests. Provide some protection against CSRF (Cross site request forgery attack).
Syntax: SameSite=<value>
Strict:- The browser sends cookie for only same-site request. If the request goes to a different domain it will not be send at all.
- For example:
- Client visit
google.comwith cookie:DarkTheme=1 SameSite=Strict. - Clicking on a Google search link to a different site (
twitter.com), this cookie will not be sent
- Client visit
Lax- The browser sends cookie for same-site and for only cross-site request if it's
GETand Top level request.- Top level means the request is not coming from
img,iframe, etc…
- Top level means the request is not coming from
- For example:
- Client visit
google.comwith cookie:DarkTheme=1 SameSite=Lax. - Clicking on a Google search link to a different site (
twitter.com), this cookieDarkTheme=1will be sent.
- Client visit
- The browser sends cookie for same-site and for only cross-site request if it's
None- Browser sends cookies for both cross-site and same site request, there is no restriction. When setting this, the
Securetag needs to be set as well. soSameSite=None; Secure
- Browser sends cookies for both cross-site and same site request, there is no restriction. When setting this, the
Secure(optional):- Indicates that cookies only send when it's made in
[[https]]:except forlocalhost
- Indicates that cookies only send when it's made in