Set-Cookie
The HTTP Set-Cookie response header is used to send Cookies from the server to the client for later use.
Usage
The HTTP Set-Cookie response header is generated by the server and used for transferring Cookies to the client. The Cookies are sent back to the server during subsequent HTTP requests for a variety of reasons, including as a way to maintain the state in an otherwise stateless system.
The general syntax is:
Set-Cookie: <cookie-name>=<cookie-value>
cookie-name
The cookie-name
can contain any US-ASCII characters except for the control character, space, tab, or one of the following special characters: ()
<>
[]
@
\/
,
;
:
"
?
.
Some cookie-name
values have a specific prefix, as follows:
__Secure-
: This prefix must be set with the secure flag from a secure page using HTTPS.__Host-
: This prefix must also be set with the secure flag from a secure page using HTTPS, must not have a domain name specified, and that path must be set to/
.
Optionally, parameters can be specified after the cookie value.
expires
The expires
attribute contains the oldest date that the cookie can be maintained. This is an HTTP Date timestamp, and it is relative to the client that the cookie is stored on. When not included, the cookie is assumed to be a session cookie, which is removed once the client is halted.
expires=<date>
Note
Browsers may choose to cap the maximum value for the expires
attribute to 400 days. This is close to 13 months, allowing for sites visited roughly once a year by users to keep working, e.g. reporting the yearly utilities usage through the utility-company's website.
max-age
The max-age
attribute is used to set the number of seconds before the cookie expires. A negative number will cause the cookie to expire immediately.
max-age=<number>
Note
Browsers may choose to cap the maximum value for the max-age
attribute to 400 days. This is close to 13 months, allowing for sites visited roughly once a year by users to keep working, e.g. reporting the yearly utilities usage through the utility-company's website.
domain
The domain
attribute refers to the host that the cookie will be sent to. If this attribute is omitted then it is assumed to be the host of the current resource URL. It is not possible to specify multiple domain values, although subdomains are always included when a domain is specified.
domain=<domain-value>
path
The path
attribute makes it mandatory that the path exists in the URL for the client to send the cookie header. The forward slash /
is used to delimit directors and subdirectories.
path=<path-value>
secure
When the secure
attribute is set, the cookie will only be sent to the server when the protocol is secure (HTTPS), except on the local machine. This is used to thwart man-in-the-middle attacks.
Note
The secure
attribute does not safeguard Cookies against programs that can read the client’s physical hard drive. Also, access to the cookie is possible using JavaScript if the HttpOnly
attribute is not included.
HttpOnly
When the HttpOnly
attribute is set, JavaScipt applications do not have raw access to the cookie’s data. The cookie can still be sent but it cannot be accessed through the document properties.
HttpOnly
SameSite
The SameSite
attribute controls whether Cookies are sent during cross-origin HTTP requests. The three values for this attribute are strict
, lax
, and none
. A strict
setting means that Cookies will be sent for same-site requests only. A lax
setting means that Cookies will not be sent in the background for tasks such as loading images. However, they will be sent when the user on the client navigates elsewhere. The lax
setting is the default when SameSite
is not specified. When the none
setting is used, the cookie will be sent with cross-site requests as well as same-site HTTP requests.
SameSite=<SameSite-value>
Note
When using the none
setting for SameSite
, the secure
attribute must also be set. Also, Cookies sent from a different scheme are taken to be from different sites.
Example
In the first example, a session cookie is set.
Response
Set-Cookie: sid=14A52
In the second example, the same cookie is set except a maximum lifetime of 3600 seconds is specified.
Response
Set-Cookie: sid=14A52; max-age=3600
Takeaway
The HTTP Set-Cookie header is used by the server to send Cookies to the client. The server expects to have them sent back during subsequent HTTP requests to identify the client and maintain the state of the transaction, if applicable.