<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Alireza Hassankhani</title>
    <description>The latest articles on DEV Community by Alireza Hassankhani (@alireza_hassankhani_b8401).</description>
    <link>https://dev.to/alireza_hassankhani_b8401</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4019709%2Fc8197511-bc55-491a-88a6-31a212b7d813.png</url>
      <title>DEV Community: Alireza Hassankhani</title>
      <link>https://dev.to/alireza_hassankhani_b8401</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/alireza_hassankhani_b8401"/>
    <language>en</language>
    <item>
      <title>Cookie attributes</title>
      <dc:creator>Alireza Hassankhani</dc:creator>
      <pubDate>Sun, 12 Jul 2026 20:34:50 +0000</pubDate>
      <link>https://dev.to/alireza_hassankhani_b8401/cookie-attributes-3dbg</link>
      <guid>https://dev.to/alireza_hassankhani_b8401/cookie-attributes-3dbg</guid>
      <description>&lt;p&gt;🍪&lt;/p&gt;

&lt;h3&gt;
  
  
  ** A Deeper Look at Cookie Attributes**
&lt;/h3&gt;

&lt;p&gt;📦 Set-Cookie Header&lt;/p&gt;

&lt;p&gt;When a server wants to create or update a cookie, it uses the Set-Cookie header in the response.&lt;/p&gt;

&lt;p&gt;Example of this header:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;Set-Cookie: session_id=ab12cd34ef56; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=3600
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;At first glance, one might think a cookie is just a Key=Value pair:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;session_id=ab12cd34ef56
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;But in reality, that's only the core part of the cookie.&lt;/p&gt;

&lt;p&gt;What the browser actually receives is the Set-Cookie header, which—alongside the main value—includes a set of attributes. These attributes determine:&lt;/p&gt;

&lt;p&gt;· Which domain the cookie is valid for&lt;br&gt;
· Which paths it should be sent to&lt;br&gt;
· How long it remains valid&lt;br&gt;
· Whether it should only be sent over HTTPS&lt;br&gt;
· Whether it's accessible via JavaScript&lt;br&gt;
· Whether it should be sent in cross-site requests&lt;/p&gt;

&lt;p&gt;Let's examine each of these attributes individually.&lt;/p&gt;



&lt;p&gt;🔒 HttpOnly&lt;/p&gt;

&lt;p&gt;The HttpOnly attribute specifies that the cookie can only be accessed via the HTTP/HTTPS protocol.&lt;/p&gt;

&lt;p&gt;When this attribute is enabled:&lt;/p&gt;

&lt;p&gt;· JavaScript cannot access the cookie&lt;br&gt;
· The cookie cannot be read via document.cookie&lt;br&gt;
· The cookie is only sent by the browser when making requests to the server&lt;/p&gt;

&lt;p&gt;Why does HttpOnly exist?&lt;/p&gt;

&lt;p&gt;One of the most common web attacks is XSS (Cross-Site Scripting).&lt;/p&gt;

&lt;p&gt;In this attack, the attacker manages to inject and execute their own JavaScript code on the page. If the cookie does not have HttpOnly set, the attacker can read the user's session cookie and send it to their own server.&lt;/p&gt;

&lt;p&gt;Enabling HttpOnly means that even if malicious JavaScript is executed, the session cookie cannot be stolen.&lt;/p&gt;

&lt;p&gt;💡 HttpOnly reduces the risk of cookie theft in XSS attacks, but it is not a replacement for preventing the XSS vulnerability itself.&lt;/p&gt;



&lt;p&gt;🔐 Secure&lt;/p&gt;

&lt;p&gt;The Secure attribute specifies that the cookie should only be sent over a secure HTTPS connection.&lt;/p&gt;

&lt;p&gt;If the user is using HTTP, the browser will not send the cookie.&lt;/p&gt;

&lt;p&gt;Why does Secure exist?&lt;/p&gt;

&lt;p&gt;If a cookie is sent over an unencrypted connection (HTTP), an attacker positioned between the user and the server (Man-in-the-Middle) can eavesdrop on the traffic and view or steal the cookie.&lt;/p&gt;

&lt;p&gt;Enabling Secure ensures the cookie is only transmitted over an encrypted connection, drastically reducing the risk of it being stolen in transit.&lt;/p&gt;



&lt;p&gt;🌍 Domain&lt;/p&gt;

&lt;p&gt;The Domain attribute specifies which domain the cookie is valid for.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Domain=example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In this case, the cookie will be usable for the main domain and, typically, its subdomains as well.&lt;/p&gt;

&lt;p&gt;However, if Domain is set to another domain, the browser will not send the cookie for that domain.&lt;/p&gt;

&lt;p&gt;This attribute defines the scope of the cookie's validity.&lt;/p&gt;




&lt;p&gt;📂 Path&lt;/p&gt;

&lt;p&gt;The Path attribute determines which URL paths on the website the cookie should be sent to.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Path=/admin
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In this case, the cookie will only be sent for requests that fall under the /admin path.&lt;/p&gt;

&lt;p&gt;This feature ensures the cookie is only used in parts of the site where it's actually needed.&lt;/p&gt;




&lt;p&gt;⏳ Expires&lt;/p&gt;

&lt;p&gt;The Expires attribute specifies the exact expiration date and time of the cookie.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Expires=Wed, 01 Jan 2027 00:00:00 GMT
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After this date is reached, the browser will delete the cookie.&lt;/p&gt;




&lt;p&gt;⌛ Max-Age&lt;/p&gt;

&lt;p&gt;The Max-Age attribute specifies the lifetime of the cookie in seconds.&lt;/p&gt;

&lt;p&gt;For example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Max-Age=3600
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This means the cookie will be deleted exactly one hour after it was created.&lt;/p&gt;

&lt;p&gt;Difference Between Max-Age and Expires&lt;/p&gt;

&lt;p&gt;Both are used to determine when the cookie should be deleted, but they have an important difference:&lt;/p&gt;

&lt;p&gt;· Expires stores a specific date and time.&lt;br&gt;
· Max-Age specifies the remaining lifetime from the moment the cookie is created.&lt;/p&gt;

&lt;p&gt;For this reason, Max-Age is generally considered more reliable, as it does not depend on the user's system clock.&lt;/p&gt;




&lt;p&gt;🛡️ SameSite&lt;/p&gt;

&lt;p&gt;The SameSite attribute specifies whether the cookie should be sent in requests originating from other sites.&lt;/p&gt;

&lt;p&gt;The main purpose of this attribute is to reduce the risk of CSRF (Cross-Site Request Forgery) attacks.&lt;/p&gt;

&lt;p&gt;Its common values are:&lt;/p&gt;

&lt;p&gt;· Strict → The cookie is only sent in same-site requests.&lt;br&gt;
· Lax → The cookie is sent in most normal requests, but restricts many cross-site requests.&lt;br&gt;
· None → The cookie is sent in all requests; in this case, using Secure is also mandatory.&lt;/p&gt;

&lt;p&gt;Proper use of SameSite can be one of the most important defense layers against CSRF attacks.&lt;/p&gt;




&lt;p&gt;📌 Summary&lt;/p&gt;

&lt;p&gt;Each cookie attribute is designed to solve a specific security or functionality issue:&lt;/p&gt;

&lt;p&gt;· HttpOnly → Reduces the risk of cookie theft in XSS attacks&lt;br&gt;
· Secure → Prevents the cookie from being sent over insecure connections and reduces Man-in-the-Middle risks&lt;br&gt;
· SameSite → Reduces the likelihood of successful CSRF attacks&lt;br&gt;
· Domain → Defines which domains are allowed for the cookie&lt;br&gt;
· Path → Defines which URL paths are allowed to receive the cookie&lt;br&gt;
· Expires → Defines the expiration date&lt;br&gt;
· Max-Age → Defines the cookie's lifetime in seconds&lt;/p&gt;

&lt;p&gt;Understanding these attributes is one of the most important prerequisites for learning web security, because many common vulnerabilities are directly related to misconfiguring these very options.&lt;/p&gt;

</description>
      <category>javascript</category>
      <category>frontend</category>
      <category>backend</category>
      <category>webdev</category>
    </item>
  </channel>
</rss>
