Cookies
HTTP is stateless. Cookies implement sessions for: Authentication, Personalization, Tracking.
Browsers automatically attach them to requests from the website that sent them first.
request 
response
Set-Cookie: session=xyz;
request
Cookie: session=xyz;
Cookie Attributes
Which URLs should the cookie be attached to?
SOP for cookies
means the cookie-attributes
domain
,
path
,
secure
,
sameSite
must be taken into account.
domain
If set - domain and hostname or a subdomain
Simplified: must have the set value as a suffix in the URL, the value is not allowed to be a eTLD.
If not set - only domain and hostname that set the cookie
path
If set - same path or subdirectory
If not set - only same path
Not a security mechanism, just there to make system more efficient by saving network bandwidth and only sending cookies to a specific path.
secure
Only to HTTPS requests (confidentiality)
Can not be set or overwritten by HTTP requests (integrity)
httpOnly
If set - cannot be read by javaScript through
document.cookie
.
Prevents the theft with XSS (confidentiality)
But a script can overflow the cookie jar, delete older cookies and then set a new cookie with the desired value. (no integrity)
Max-Age
,
Expires
If set- cookie expires it is removed from the jar.
when 0 > Max-Age or Expires is a date in the past.
If both specified, Max-Age has precedence.
If not set, the cookie is removed when the browser is closed.
SameSite
Controls attachment to cross-site requests:
Strict: never
Lax: sometimes (default)sent if cross-domain, but user navigated to the site by clicking a link in the current one
None: always (then also must beSecure)
Cookie Prefixes
Defense against Cookie-Overwrite-Vulnerability.
More information for clients-browser before accepting cookies. Preserve integrity.
Prefixes added to cookie names
__Secure-
Must be
Secure(against network attackers)
__Host-
(against Related-domain attackers)
Must be
Secure
,
Domain = "None"
,
Path = "/"