Cookie types
- Cookie: sent by browser; format
name1=value1; name2=value2 - Set-Cookie: sent by server; format
name=value; Path=/; HttpOnly; Secure— one cookie per header
Attribute reference
- Path: URL path scope (default /)
- Domain: domain scope (default current host, no subdomains)
- Expires / Max-Age: when the cookie expires
- HttpOnly: cannot be accessed via JavaScript (XSS protection)
- Secure: only sent over HTTPS
- SameSite: Lax / Strict / None — CSRF protection