Set-Cookie

The HTTP Set-Cookie response header is used to send Cookies from the server to the client for later use.

Usage

The HTTP Set-Cookie response header is generated by the server and used for transferring Cookies to the client. The Cookies are sent back to the server during subsequent HTTP requests for a variety of reasons, including as a way to maintain the state in an otherwise stateless system.

The general syntax is:

Set-Cookie: <cookie-name>=<cookie-value>

cookie-name

The cookie-name can contain any US-ASCII characters except for the control character, space, tab, or one of the following special characters: () <> [] @ \/ , ; : " ?.

Some cookie-name values have a specific prefix, as follows:

• __Secure-: This prefix must be set with the secure flag from a secure page using HTTPS.
• __Host-: This prefix must also be set with the secure flag from a secure page using HTTPS, must not have a domain name specified, and that path must be set to /.

Optionally, parameters can be specified after the cookie value.

expires

The expires attribute contains the oldest date that the cookie can be maintained. This is an HTTP Date timestamp, and it is relative to the client that the cookie is stored on. When not included, the cookie is assumed to be a session cookie, which is removed once the client is halted.

expires=<date>

max-age

The max-age attribute is used to set the number of seconds before the cookie expires. A negative number will cause the cookie to expire immediately.

max-age=<number>

domain

The domain attribute refers to the host that the cookie will be sent to. If this attribute is omitted then it is assumed to be the host of the current resource URL. It is not possible to specify multiple domain values, although subdomains are always included when a domain is specified.

domain=<domain-value>

path

The path attribute makes it mandatory that the path exists in the URL for the client to send the cookie header. The forward slash / is used to delimit directors and subdirectories.

path=<path-value>

secure

When the secure attribute is set, the cookie will only be sent to the server when the protocol is secure (HTTPS), except on the local machine. This is used to thwart man-in-the-middle attacks.

HttpOnly

When the HttpOnly attribute is set, JavaScipt applications do not have raw access to the cookie’s data. The cookie can still be sent but it cannot be accessed through the document properties.

HttpOnly

SameSite

The SameSite attribute controls whether Cookies are sent during cross-origin HTTP requests. The three values for this attribute are strict, lax, and none. A strict setting means that Cookies will be sent for same-site requests only. A lax setting means that Cookies will not be sent in the background for tasks such as loading images. However, they will be sent when the user on the client navigates elsewhere. The lax setting is the default when SameSite is not specified. When the none setting is used, the cookie will be sent with cross-site requests as well as same-site HTTP requests.

SameSite=<SameSite-value>

Example

In the first example, a session cookie is set.

Response

Set-Cookie: sid=14A52

In the second example, the same cookie is set except a maximum lifetime of 3600 seconds is specified.

Response

Set-Cookie: sid=14A52; max-age=3600

Takeaway

The HTTP Set-Cookie header is used by the server to send Cookies to the client. The server expects to have them sent back during subsequent HTTP requests to identify the client and maintain the state of the transaction, if applicable.

See also

• HTTP headers