← Lessons

quiz vs the machine

Gold1350

Networking

Cookies, Attributes, and Scope

How Domain, Path, and lifetime control where a cookie travels.

5 min read · core · beat Gold to climb

Stateful Markers in a Stateless Protocol

HTTP is stateless, so cookies let a server keep state across requests. A cookie is a name and value the client stores and replays automatically. Attributes decide where and how long it travels.

Scope Attributes

  • Domain sets which hosts receive the cookie; without it the cookie is limited to the exact host that set it.
  • Path restricts the cookie to URLs under a given prefix.

A cookie is sent only when both the domain and path of the target URL match.

Lifetime Attributes

  • Expires sets an absolute end date.
  • Max Age sets a lifetime in seconds and wins over Expires.
  • With neither, the cookie is a session cookie that disappears when the browser closes.

Why Scope Matters

Tight scope limits exposure. A cookie scoped to a payments path will not be sent on unrelated pages, shrinking the blast radius if it leaks.

Key idea

Cookies add state to stateless HTTP, and their Domain and Path attributes scope where they travel while Expires or Max Age control how long they live, with no lifetime meaning a session only cookie.

Check yourself

Answer to earn rating on the learn ladder.

1. When is a cookie sent on a request?

2. What happens to a cookie with no Expires or Max Age?