Use HTTP cookies - HTTP

Use HTTP cookies – HTTP – Minecraft Online Free

Attributes Domain et Path define the scope of a cookie, i.e. the URLs to which the cookie may be sent.

Attribute Domain

attribute Domain indicates the hosts that can receive a cookie. If this attribute is absent, the default value will be the host that set the cookie in excluding subdomains. And Domain is specified, subdomains are always included. Also, indicate Domain is less restrictive than omitting it. However, this attribute can be useful when subdomains need to share information about a person.

So, if we define Domain=mozilla.orgcookies will be available on subdomains like

Attribute Path

attribute Path indicates a URL path that must exist in the requested URL for the header Cookie be sent. The character %x2F (” is considered a directory separator, so subdirectories will match.

Thus, if we indicate Path=/docsrequests to the following paths will contain cookies:

  • /docs
  • /docs/
  • /docs/Web/
  • /docs/Web/HTTP

On the other hand, for these paths, cookies will not be added:

Attribute SameSite

attribute SameSite allows servers to indicate when cookies should be sent when making requests to other origins/sites. This provides some protection against attacks cross-site request forgery.

This attribute can take three different values:


The browser only sends the cookie for requests to the same site from which the cookie originated


Similar to Strictbut the browser also sends the cookie when the person navigates to the site of origin of the cookie (even if it comes from a different site), for example when following a link from an external site.


Cookies are sent for requests from the same site and for other sites, but only in secure contexts (in other words, if we have SameSite=Nonethe attribute Secure must also be present).

If no attribute SameSite is not specified, the default is Lax.

Here is an example :

Note : The specification regarding SameSite has changed (MDN documents the current behavior). See compatibility chart for SameSite for more information whose attribute is managed according to browser versions:

  • SameSite=Lax is now the default if SameSite is not indicated. Previously, cookies were sent for all requests by default.
  • Cookies with SameSite=None must now use the attribute Secure (that is, the context must be safe).
  • Cookies from the same domain are no longer considered as coming from the same site if the scheme used is different (http: is considered different from https:).

Due to the design of the cookie mechanism, a server cannot confirm that a cookie was set from a secure origin or even the location from which a cookie was originally set.

A vulnerable application on a subdomain could therefore set a cookie with the attribute Domain, which would give access to this cookie on all subdomains. This mechanism could be abused during a session fixation attack. See the description of this type of attack (in-US) for more information on prevention methods.

As defense in depth measureone can use cookie prefixes to confirm different aspects of the cookie. Two prefixes are available:


If a cookie name uses this prefix, it will only be accepted in a header Set-Cookie and :

  • It is marked with the attribute Secure
  • It was sent from a secure origin
  • It does not include an attribute Domain
  • attribute Path worth /.

Thus, such cookies can be seen as domain locked.


If a cookie name uses this prefix, it will only be accepted in a header Set-Cookie if marked with the attribute Secure and that it was sent from a secure origin. This is a weaker form than that provided by the prefix __Host-.

The browser will reject cookies with these prefixes and which do not respect these constraints. It should be noted that thus, the cookies created by the subdomains and with these prefixes are confined to the subdomain in question or ignored completely. Since the application server only checks the name of a given cookie for authentication or the validity of a CSRF token, this serves as a measure against session fixation.

Attention : On the application server, the web application must check the full name of the cookie, including the prefix. User agents do not strip the prefix before sending it in the header Cookie (in-US) of the answer.

For more information on prefixes and related browser compatibility, see the prefixes section of the reference article page Set-Cookie.

Access cookies in JavaScript with Document.cookie

You can create new cookies in JavaScript using the property Document.cookie (in-US). It is also possible to access existing cookies from the JavaScript code if the attribute HttpOnly has not been added.

document.cookie = "delicieux_cookie=choco";
document.cookie = "savoureux_cookie=menthe";

Cookies created in JavaScript cannot include the attribute HttpOnly.

See the next section on Security : Cookies available in JavaScript can be stolen via XSS attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *