← Lessons

quiz vs the machine

Gold1310

Security

Secure Cookie Attributes Revisited

The flags that decide how, when, and from where a cookie may be sent.

4 min read · core · beat Gold to climb

Flags That Shape Cookie Risk

Cookies often hold session identifiers, so the attributes you set on them directly affect security. Each flag closes a different attack path.

  • HttpOnly blocks JavaScript from reading the cookie, limiting theft through cross site scripting.
  • Secure sends the cookie only over HTTPS, so it never leaks on a plaintext connection.
  • SameSite controls whether the cookie rides along on cross site requests. Strict and Lax reduce cross site request forgery, while None requires Secure and allows cross site sending.

Scope and Lifetime

  • Set a precise Domain and Path so the cookie is not sent more broadly than needed.
  • Prefer a __Host prefix for session cookies, which forces Secure, a host scope, and a root path.
  • Keep lifetimes short and pair cookies with server side session expiry.

No single flag is enough. A robust session cookie is HttpOnly, Secure, SameSite restricted, host scoped, and short lived, so each layer covers a gap the others leave open.

Key idea

Cookie security comes from combining attributes: HttpOnly blocks script theft, Secure forces HTTPS, SameSite curbs cross site requests, and tight scope plus short lifetime close the rest, since no single flag suffices.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the HttpOnly flag defend against?

2. What does SameSite primarily reduce?